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Introduction 


he AZ-801 exam deals with advanced topics that require candidates to have an excellent 
Wea knowledge of Microsoft Windows Server and Azure Hybrid functionality. The 
exam covers topics that even experienced Windows Server Hybrid administrators may rarely 
encounter unless they are consultants who manage hybrid cloud workloads on a regular basis. 
To be successful in taking this exam, candidates need to understand not only how to secure 
Windows Server and Active Directory, but also how to manage and configure high availability 
and disaster recovery, migrate workloads to newer versions of Windows Server and to Azure, 
as well as monitor and troubleshoot Windows Server workloads across on-premises, hybrid, 
and cloud infrastructure. 


Candidates for this exam are information technology (IT) professionals who want to validate 
their advanced Windows Server Hybrid administration skills and knowledge. To pass, candi- 
dates require a thorough theoretical understanding as well as meaningful practical experience 
implementing the technologies involved. 


This edition of this book covers Windows Server and the AZ-801 exam objectives as of 
mid-2022. As Windows Server hybrid technologies evolve, so do the AZ-801 exam objectives, 
so you should check carefully if any changes have occurred since this edition of the book was 
authored and study accordingly. 


This book covers every major topic area found on the exam, but it does not cover every 
exam question. Only the Microsoft exam team has access to the exam questions, and Microsoft 
regularly adds new questions to the exam, making it impossible to cover specific questions. 
You should consider this book a supplement to your relevant real-world experience and other 
study materials. If you encounter a topic in this book that you do not feel completely comfort- 
able with, use the “Need more review?” links you'll find in the text to find more information 
and take the time to research and study the topic. Great information is available on Microsoft 
Docs and Microsoft Learn, and in blogs and forums. 


Organization of this book 


This book is organized by the “Skills measured” list published for the exam. The “Skills mea- 
sured" list is available for each exam on the Microsoft Learning website: microsoft.com/learn. 
Each chapter in this book corresponds to a major topic area in the list, and the technical tasks 
in each topic area determine a chapter's organization. If an exam covers six major topic areas, 
for example, the book will contain six chapters. 
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Microsoft certifications 


Microsoft certifications distinguish you by proving your command of a broad set of skills and 
experience with current Microsoft products and technologies. The exams and corresponding 
certifications are developed to validate your mastery of critical competencies as you design 
and develop, or implement and support, solutions with Microsoft products and technologies 
both on-premises and in the cloud. Certification brings a variety of benefits to the individual 
and to employers and organizations. 


MOREINFO ALL MICROSOFT CERTIFICATIONS 


For information about Microsoft certifications, including a full list of available certifications, 


go to microsoft.com/learn. 


Check back often to see what is new! 


Quick access to online references 


Throughout this book are addresses to webpages that the author has recommended you visit 
for more information. Some of these addresses (also known as URLs) can be painstaking to 
type into a web browser, so we've compiled all of them into a single list that readers of the print 
edition can refer to while they read. 

Download the list at MicrosoftPressStore.com/ExamRefAZ801/downloads 

The URLs are organized by chapter and heading. Every time you come across a URL in the 
book, find the hyperlink in the list to go directly to the webpage. 


Errata, updates, & book support 


We've made every effort to ensure the accuracy of this book and its companion content. You 
can access updates to this book—in the form of a list of submitted errata and their related 
corrections—at: 


MicrosoftPressStore.com/ExamRefAZ801/errata 
If you discover an error that is not already listed, please submit it to us at the same page. 


For additional book support and information, please visit MicrosoftPressStore.com/Support. 
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Please note that product support for Microsoft software and hardware is not offered 
through the previous addresses. For help with Microsoft software or hardware, go to 
http://support.microsoft.com. 


Stay in touch 


Let's keep the conversation going! We're on Twitter: http://twitter.com/MicrosoftPress. 
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Secure Windows Server 
on-premises and hybrid 
infrastructure 


Windows Server 2022 is the most secure version of the Microsoft Windows Server operat- 
ing system, but you can configure the operating system to be far more secure than it is in 

a default deployment. Hardening is the process of configuring security controls to improve 
security. Applying security controls is always a matter of balancing security with the require- 
ments of the environment. In this chapter, you'll learn about the security technologies avail- 
able for Windows Server and hybrid deployments. 


Skills covered in this chapter: 
m Skill 1.1: Secure Windows Server operating system 
m Skill 1.2: Secure a hybrid Active Directory infrastructure 


m Skill 1.3: Identify and remediate Windows Server security issues by using 
Azure services 


m Skill 1.4: Secure Windows Server networking 


m Skill 1.5: Secure Windows Server storage 


Skill 1.1: Secure Windows Server operating system 


Windows Server includes a variety of technologies that you can use to secure the operating 
system. While implementing each of these technologies increases the security of your Win- 
dows Server deployment, it's important to understand that implementing no single technol- 
ogy or set of technologies guarantees that your deployment can’t be compromised by the 
most determined of attackers. By implementing each technology, you will make Windows 
Server just a bit more difficult to compromise, thereby increasing the security of your organi- 
zation’s Windows Server deployment. 
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This section covers how to: 

= Configure and manage exploit protection 

= Configure and manage Windows Defender Application Control 
= Configure and manage Windows Defender for Endpoint 

= Configure and manage Windows Defender Credential Guard 

= Configure SmartScreen 

= Implement operating system security by using Group Policies 


= Configure Windows Server Auditing 


Configure and manage exploit protection 


Exploit protection allows you to configure extra security settings for Windows Server, such as 
Control Flow Guard (CFG) and Data Execution Prevention (DEP). In past versions of Windows 
Server, you would use the Enhanced Mitigation Experience Toolkit (EMET), a separate product 
that you download and install to perform this task. Figure 1-1 shows the Exploit Protection set- 
tings in the Windows Security Control Panel section. 


Windows Security 
Exploit protection 
E See the Exploit protection settings for your 
system and programs. You can customize the 
Q Home 


settings you want. 
1?) Virus & threat protection 
. | System settings Program settir 
(Firewall & network protection past Bad ~ bad ~ 
| E App & browser control 


; Control flow guard (CFG) 
2 Device security Ensures control flow integrity for indirect calls, 


Use default (On) 


Data Execution Prevention (DEP) 
Prevents code from being run from data-only 
memory pages. 


Force randomization for images (Mandatory 


ASLR) 
Force relocation of images not compiled with / 
DYNAMICBASE 
& Settings Export settings 
FIGURE 1-1 Exploit protection 
CHAPTER1 Secure Windows Server on-premises and hybrid infrastructure 
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Some exploit protection mitigation settings are configurable at the system level, and some 
are only configurable on a per-app basis. The settings that can be configured at both the sys- 
tem and app levels are as follows: 


Control Flow Guard Configurable at the system and program levels. Ensures control 
flow integrity for indirect calls. 


Data Execution Prevention Configurable at the system and program levels. Prevents 
code from being executed from data-only memory pages. 
Force Randomization For Images (Mandatory ASLR) Configurable at the system 


and program levels. Forces reallocation of memory images that haven't been compiled 
with the DYNAMICBASE option. 


The settings that you can only configure at the application level are as follows: 


Arbitrary Code Guard Prevents non-image-backed executable code and code page 
modification 


Block Low Integrity Images Blocks the loading of images marked with low integrity 
Block Remote Images Blocks the loading of images from remote devices 

Block Untrusted Fonts Blocks the loading of any GDI-based fonts not installed in the 
system Fonts directory 

Code Integrity Guard Restricts the loading of images to those that have been digi- 
tally signed by Microsoft 


Disable Extension Points Disables extensibility mechanisms that allow DLL injection 
into all processes 

Disable Win32k System Calls Blocks programs from using the Win32K system call 
table 

Do Not Allow Child Processes Prevents programs from spawning child processes 
Export Address Filtering (EAF) Filters dangerous exported functions that are being 
resolved by malicious code 

Import Address Filtering (IAF) Filters imported functions being resolved by mali- 
cious code 

Randomize Memory Allocations (Bottom-Up ASLR) Randomizes locations for 


virtual memory allocation 


Simulate Execution (SimExec) Ensures that calls to sensitive functions are returned 
to legitimate callers 


Validate API Invocation (CallerCheck) Ensures that sensitive APIs can only be 
invoked by legitimate callers 


Validate Exception Chains (SEHOP) Ensures the integrity of an exception chain 
during dispatch 
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= Validate Handle Usage Raises an exception on any invalid handle references 
= Validate Heap Integrity Terminates a program when heap corruption is detected 


= Validate Image Dependency Integrity Enforces code signing for Windows image 
dependency loading 


= Validate Stack Integrity (StackPivot) Ensures that the stack has not been redirected 
for sensitive functions 


You configure exploit protection from PowerShell using the Set-ProcessMitigation cmdlet. 
For example, to enable Data Execution Prevention (DEP) at the system level, you would run this 
command: 


Set-ProcessMitigation -System -Enable DEP 
You can view which exploit protection settings are enabled by running the following 
command: 


Get-ProcessMitigation -System 


You can use the following command to export an Exploit Guard configuration: 


Get-ProcessMitigation -RegistryConfigFilePath exportedconfig.xml 


You can import an exported Exploit Guard configuration by using the following command: 


Set-ProcessMitigation -PolicyFilePath exportedconfig. xml 


NEED MORE REVIEW? EXPLOIT PROTECTION 


You can learn more about exploit protection at https://docs.microsoft.com/en-us/windows/ 
security/threat-protection/microsoft-defender-atp/enable-exploit-protection. 


Controlled Folder Access is a security technology that allows you to protect specific folders 
on a Windows Server computer against malicious software. Controlled Folder Access is a useful 
tool for preventing ransomware from encrypting the folders that host file shares because you 
can use it to restrict which software can interact with specific paths on a computer running 
Windows Server. Controlled Folder Access will allow trusted applications, such as those that are 
included with the operating system, to interact with protected folders. 


On computers running Windows Server with Desktop Experience, you can use the Virus 
& Threat Protection area of the Windows Security Control Panel to configure which folders 
are protected and which applications can interact with protected folders, as shown in 
Figure 1-2. 


You can configure Controlled Folder Access from PowerShell using the Set-MpPreference 
cmdlet. To do so, run this command: 


Set-MpPreference -EnableControlledFolderAccess Enabled 


Secure Windows Server on-premises and hybrid infrastructure 
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Windows Security 


Ransomware protection 


Protect your files against threats like 
ransomware, and see how to restore files in case 


A Home of an attack. 


© Virus & threat protection 


(p) Firewall & network protection Controlled folder access 


Protect files, folders, and memory areas on your 
device from unauthorized changes by unfriendly 
applications, 


& on 


Protected folders 


E App & browser control 


& Device security 


Allow an app through Controlled folder access 


FIGURE 1-2 Controlled Folder Access 


To disable Controlled Folder Access, run this command: 


Set-MpPreference -EnableControlledFolderAccess Disabled 


To add a new location for Controlled Folder Access to monitor, run this command: 


Add-MpPreference -ControlledFolderAccessProtectedFolders "E:\fileshare" 


To remove a location from Controlled Folder Access monitoring, run this command: 


Remove-MpPreference -ControlledFolderAccessProtectedFolders "E:\fileshare" 


To allow an application to interact with a protected folder, run this command: 
Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\application\app.exe" 


You can also use the Remove-MpPreference cmdlet to revoke an application's ability to inter- 
act with a protected location. 


NEED MORE REVIEW? CONTROLLED FOLDER ACCESS 


You can learn more about Controlled Folder Access at https://docs.microsoft.com/en-us/ 
microsoft-365/security/defender-endpoint/evaluate-controlled-folder-access. 


Configure and manage Windows Defender Application 
Control 


Windows Defender Application Control (WDAC), known in previous versions of Windows 
Server as Device Guard and Configurable Code Integrity (CCI) policies, is a hardware- and 
software-based security system that restricts the execution of applications to those that are 
explicitly trusted. WDAC uses virtualization-based security to isolate a special service named 


Skill 1.1: Secure Windows Server operating system 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


the code integrity service from the Windows kernel. Because the code integrity service is run- 
ning as a trustlet in a special virtualized location, compromising the service is difficult, if not 
impossible, even if an attacker has complete control of the operating system. The WDAC name 
isn't present in all locations of the operating system, such as Group Policy, so occasionally you 
will still see references to Device Guard in items such as Group Policy. 


WDAC includes the following features: 


Virtual Secure Mode This is a special virtual container that isolates the LSASS.exe 
process from the operating system. 


Configurable Code Integrity This is the rules engine that, in conjunction with Virtual 
Secure Mode Protected Code Integrity, validates code that Windows Server attempts to 
enact. 


Virtual Secure Mode Protected Code Integrity Uses two components to enforce 
Configurable Code Integrity policy. 


User Mode Code Integrity Manages whether user mode code can execute. 
Kernel Mode Code Integrity Manages whether kernel mode code can execute. 


Platform and UEFI Secure Boot Ensures that the boot loader code and firmware are 
validated and prevents malware from modifying the boot environment. 


To enable Virtual Secure Mode, perform the following steps: 
1. 


2 
3. 
4 


Enable Secure Boot and Trusted Platform Module (TPM). 
Enable Hyper-V. 
Enable Isolated User Mode. 


Configure the Turn On Virtualization Based Security Policy, located in the Computer 
Configuration\Administrative Templates\System\Device Guard\ node. 


Configure the BCD store to start Virtual Secure Mode. You do this by running the follow- 
ing command: 


bcdedit /set vsmlaunchtype auto 


By default, WDAC runs in Audit mode. This allows you to tune a policy to ensure that the 
software that you want to run can run and won't be blocked. You have several options when it 
comes to controlling which software can run on a computer protected by Device Guard. These 
are as follows: 


Only allow software that is digitally signed by a trusted publisher to run on the server. 
If you are using internally written code, you can use your organization's code signing 
certificate to digitally sign code. You use the New-CIPolicy cmdlet to create an XML 
file with all relevant details about signed files on a system, and then use the Convert- 
From-CIPolicy cmdlet to convert this XML file into a binary file that is placed in the 
CAWindows\System32\Codelntegrity folder and can be used by Device Guard to 
determine which software can run on the protected system. 


Use Package Inspector to create a catalog of all deployed and executed binary files for 
applications that you trust. You can use this when you need to deal with third-party 
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applications that you trust but that are not digitally signed. Package Inspector is included 
with the operating system and is located in the C:\Windows\System32 directory. Package 
Inspector creates a catalog of hash files for each binary executable. Once the catalog file 
is created, you can digitally sign the catalog using signtool.exe, which is available in the 
Windows Software Development Kit (SDK) that you can download from the Microsoft 
website. Ensure that the signing certificate is added to the code integrity policy. WDAC 
blocks any software that is not in the signed catalog from running. You can use Group 
Policy and Configuration Manager to deploy code integrity policies and catalog files. 


You can deploy WDAC on a test machine using the Device Guard and Credential Guard 
Readiness Tool. (The tool still uses the previous name for WDAC.) This tool assesses a com- 
puter’s readiness to be configured for WDAC and allows you to perform a test deployment. 
Test deployments are important because you don't want to deploy WDAC and then find that 
business-critical software can no longer execute. 


Once you've verified that a computer is ready for WDAC, you configure the Turn On Virtu- 
alization Based Security policy, located in the Computer Configuration\Policies\Administrative 
Templates\System\Device Guard section of a Group Policy Object (GPO) and configure the 
policy so that Virtualization Based Protection of Code Integrity is set to either Enabled With 
UEFI Lock or Enabled Without Lock. The difference is that if you use the Enabled With UEFI 
Lock, as shown in Figure 1-3, the policy can only be disabled by signing in directly to the server. 


A Turn On Virtualization Based Security o x 


FE] Tum On Virtualization Based Security menasan] B 


O Not Configured Comment: 


@ Enabled 

O Disabled = 
Supportedon: [At least Windows Server 2016, Windows 10 

Options: Help: 


Specifies whether Virtualization Based Security is enabled, 


Select Platform Security Level: 


Secure Boot and DMA Protection v Virtualization Based Security uses the Windows Hypervisor to 
provide support for security services. Virtualization Based 
Virtualization Based Protection of Code Integrity: Security requires Secure Boot, and can optionally be enabled 
= with the use of DMA Protections. DMA protections require 
Enabled with UEFI lock ¥ hardware support and will only be enabled on correctly 


figured devices. 
Credential Guard Configuration: be meS 
fE nabled with UEFI lock S Virtualization Based Protection of Code Integrity 


This setting enables virtualization based protection of Kemel 
Mode Code Integrity. When this is enabled, kernel mode 
memory protections are enforced and the Code Integrity 
validation path is protected by the Virtualization Based Security 
feature. 


The “Disabled” option turns off Virtualization Based Protection of 
Code Integrity remotely if it was previously turned on with the 
“Enabled without lock" option. 


[a] [ee | | ay 


FIGURE 1-3 Turn On Virtualization Based Security 
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NEED MORE REVIEW? \WDAC DEPLOYMENT GUIDE 


You can learn more about WDAC deployment at https://docs.microsoft.com/ 
en-us/windows/security/threat-protection/windows-defender-application-control/ 
windows-defender-application-control-deployment-guide. 


Configure and manage Windows Defender for Endpoint 


Windows Server includes Windows Defender, the Microsoft antimalware solution. Win- 

dows Defender is enabled by default when you deploy Windows Server. To disable Windows 
Defender, you must remove it, either by using the Add Roles And Features Wizard or by using 
the following Uninstal1-windowsFeature cmdlet: 


Uninstall-WindowsFeature -Name Windows-Server-Antimalware 
You can use the following PowerShell cmdlets to manage Windows Defender on computers 
running the GUI, or the Server Core version of Windows Server: 
= Add-MpPreference Modifies Windows Defender settings. 
= Get-MpComputerStatus View the status of antimalware software on the server. 
= Get-MpPreference View the Windows Defender preferences for scans and updates. 
= Get-MpThreat View the history of malware detected on the computer. 


= Get-MpThreatCatalog Get known threats from the definitions catalog. You can use 
this list to determine if a specific threat is known to Windows Defender. 


= Get-MpThreatDetection Lists active and past threats that Windows Defender has 
detected on the computer. 


= Remove-MpPreference Removes an exclusion or default action. 

= Remove-MPThreat Removes an active threat from the computer. 

m= Set-MpPreference Allows you to configure scan and update preferences. 
= Start-MpScan Starts an antimalware scan on a server. 

m= Start-MpWDOScan_ Triggers a Windows Defender offline scan. 


m Update-MpSignature Triggers an update for antimalware definitions. 


NEED MORE REVIEW? WINDOWS DEFENDER FOR WINDOWS SERVER 


You can learn more about Windows Defender for Windows Server at https:// 
docs.microsoft.com/en-us/windows-server/security/windows-defender/windows- 
defender-overview-windows-server. 


Secure Windows Server on-premises and hybrid infrastructure 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


Configure and manage Windows Defender Credential 
Guard 


Windows Defender Credential Guard allows you to leverage virtualization-based security 

to isolate secrets, such as cached user credentials, in a special separate virtualized operating 
system. The special separate virtualized operating system is configured so that only specific 
processes and memory in the host operating system can access this secret data. The processes 
running in the separate virtualized operating system are termed trustlets. 


Windows Defender Credential Guard is primarily a response to pass-the-hash or pass-the- 
ticket attacks. Should a host that has Credential Guard be compromised by an attacker, that 
attacker won't be able to successfully run a pass-the-hash attack tool to extract cached creden- 
tials and then use them to access other computers on the network. 


Windows Defender Credential Guard includes the following features and solutions: 


m Stores derived domain credentials in a virtualized environment that is protected from 
the running operating system. 


m You can manage Credential Guard by using Group Policy, Windows Management 
Instrumentation (WMI), or Windows PowerShell. 


Windows Defender Credential Guard does not allow: 

m Unconstrained Kerberos delegation 

m NT LAN Manager version 1 (NTLMv1) 

= Microsoft Challenge Handshake Authentication Protocol (MS-CHAPv2) 
= Digest Authentication 

m Credential Security Support Provider (CredSSP) 

= Kerberos DES encryption 


Credential Guard can be used in conjunction with the Protected Users group in a layered 
approach to the protection of highly privileged accounts. The Protected Users group remains 
useful because your organization might not have computers that support Credential Guard. 
You can deploy Credential Guard only on computers that meet certain hardware requirements. 
Credential Guard is primarily useful for Privileged Access Workstations, but you should imple- 
ment it eventually on any computer where IT operations personnel use privileged domain 
accounts. Microsoft does not support enabling Credential Guard on domain controllers. This is 
because the domain controller hosts authentication services that must integrate with processes 
that would be isolated by virtualization-based security when Credential Guard is enabled. If 
you do this, crashes or other unpredictable results might occur. 


Windows Defender Credential Guard has the following requirements: 
m Windows Server 2016 or later, or Windows 10 Enterprise or later 
m UEFI firmware version 2.3.1 or higher 


m Secure Boot 
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m Intel VT-x or AMD-V virtualization extensions 

m Second Level Address Translation 

m x64 processor architecture 

m AVT-d or AMD-Vi IOMMU input/output memory management unit 

m TPM 1.2 or 2.0 

m Secure firmware update process 

m Firmware updated to support Secure MOR implementation 

To enable Windows Defender Credential Guard on an appropriately configured computer, 
you need to configure the Turn On Virtualization Based Security policy, which is located in the 


Computer Configuration\Administrative Templates\System\Device Guard node of a GPO. This 
is the same policy that you also use to configure WDAC (previously known as Device Guard). 

While configuring this policy, you must first set the policy to Enabled, and then you must set 
the platform security level to either Secure Boot or to Secure Boot And DMA Protection. Secure 
Boot And DMA Protection ensures that Windows Defender Credential Guard is used with 
Direct Memory Access protection. 

Once this is done, you need to then set the Windows Defender Credential Guard Configu- 
ration option to Enabled With UEFI Lock or Enabled Without Lock. If you select Enabled With 
UEFI Lock, Credential Guard cannot be remotely disabled and can only be disabled by having 
someone with local Administrator privileges sign on and disable Credential Guard configura- 
tion locally. The Enabled Without UEFI Lock option allows Windows Defender Credential Guard 
to be remotely disabled. 


NEED MORE REVIEW? WINDOWS DEFENDER CREDENTIAL GUARD 


You can learn more about Windows Defender Credential Guard at https://docs.microsoft.com/ 
en-us/windows/security/identity-protection/credential-guard/credential-guard. 


There are multiple techniques that you can employ to reduce the chance of an attacker 
successfully executing a pass-the-hash attack. Enabling LSA protection makes it more difficult 
for the Local Security Authority to be compromised. To configure LSA protection on a domain 
controller: 


1. Open the Registry Editor (RegEdit.exe) and navigate to the Registry key that is located at 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. 


2. Create (or set the value of) this Registry key: “RunAsPPL”=dword:00000001. 


3. Restart the computer. 
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NEED MORE REVIEW? LOCAL SECURITY AUTHORITY PROTECTION 


You can learn more about Local Security Authority Protection at https://docs.microsoft.com/ 
en-us/windows-server/security/credentials-protection-and-management/configuring- 
additional-Isa-protection. 


Configure SmartScreen 


Microsoft Defender SmartScreen, shown in Figure 1-4, provides you with a way of checking 
unrecognized files that have been downloaded to Windows Server against the properties of 
known malicious files that are stored in the Microsoft Graph security database. A good general 
security rule is to avoid downloading application files directly from the internet and install- 

ing them on Windows Server; instead, you should download them to a separate location, test 
them, and then copy them remotely to Windows Server for installation. 


Windows Security 
a 
O App & browser control 
= App protection and online security. 
Q Home 
© Virus & threat protection Check apps and files 


Windows Defender SmartScreen helps protect 
your device by checking for unrecognized apps 
and files from the web. 


(Ù Firewall & network protection 
| E App & browser control 


& Device security ®© Block 


O Wam 
O of 


Privacy Statement 


FIGURE 1-4 SmartScreen file check 


Windows Event Log for SmartScreen is disabled by default, but users can use the Event 
Viewer Ul to enable the log or the command line to enable it: 


wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true 


NEED MORE REVIEW? WINDOWS DEFENDER SMARTSCREEN 


You can learn more about Windows Defender SmartScreen at https://docs.microsoft.com/ 
en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft- 
defender-smartscreen- overview. 
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Implement operating system security by using 


Group Policies 


You can secure Windows Server by using Group Policy to assign and limit the specific rights 
that a user account needs to perform the tasks it needs to perform. Assign rights as close to the 
object as possible. For example, don't give a user account the ability to log in through Remote 
Desktop Services to all computers in an OU if the user account only needs remote desktop 
access to one or two computers. You can use Group Policy to configure the rights outlined in 


Table 1-1. 


TABLE 1-1 User Rights Assignment Policy 


User rights assignment policy 


Access Credential Manager As A 
Trusted Caller 


Access This Computer From The 
Network 


Act As Part Of The Operating System 


Add Workstations To Domain 


Adjust Memory Quotas For A Process 


Allow Log On Locally 


Allow Log On Through Remote 
Desktop Services 


Back Up Files And Directories 


Bypass Traverse Checking 


Change The System Time 


Change The Time Zone 


Function 


Used by Credential Manager during backup and restore. Do not assign 
this privilege to user accounts. 


Specifies which accounts and groups may connect to the computer 
from the network. Does not affect Remote Desktop Services. 


Allows a process to impersonate an account without requiring authen- 
tication. Processes that require this privilege are often assigned the 
Local System account. 


Grants the ability to join workstations to the domain. 


Configures which security principals can adjust the maximum amount 
of memory assigned to a process. 


Specifies which accounts can sign in locally to a computer. Alter this 
policy on privileged access workstations to remove members of the 
Users group. This limits which accounts can sign in to a computer. By 
default, any authenticated user can sign in to any workstation or server 
except for a domain controller. 


Determines which accounts and groups can sign in remotely to the 
computer using Remote Desktop. Configure this policy to allow users 
to access enhanced session mode for Hyper-V VMs. 


Grants permission to back up files, directories, registry, and other 
objects that the user account wouldn't normally have permission to. 
Assigning this right gives indirect access to all data on a computer. A 
person who holds the right can back that data up and then recover it in 
an environment over which they have complete control. 


Gives users with this right the ability to traverse directories on which 
they don't have permission. Does not allow the user to list the contents 
of that directory. 


Accounts with this right can alter the system time. System time is sepa- 
rate from the computer's time zone. 


Accounts with this right can alter the time zone but not the system 
time. 
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User rights assignment policy Function 


Create A Pagefile Allows the account assigned this right the ability to create and modify 
the page file. 
Create A Token Object Specifies which accounts can be used by processes to create tokens 


that allow accesses to local resources. You should not assign this right 
to any user who you do not want to give complete control of the 
system. This privilege can be used to elevate to local Administrator 
privileges. 


Create Global Objects Determines which accounts can create global objects that are available 
to all sessions. You should not assign this right to any user who you do 
not want to give complete control of the system. This privilege can be 
used to elevate to local Administrator privileges. 


Create Permanent Shared Objects Specifies which accounts can create directory objects by using the 
object manager. 


Create Symbolic Links Specifies which accounts can create symbolic links from the computer 
they are signed in to. Assign this right only to trusted users because 
symbolic links can expose security vulnerabilities in apps that aren't 
configured to support them. 


Debug Programs Specifies which accounts can attach a debugger to processes within 
the operating system kernel. Only required by developers writing new 
system components. Rarely, if ever, necessary for developers writing 
applications. Removing the default Administrator from this account 
will substantially limit the likelihood that utilities such as Mimikatz can 
be used to scrape credentials. 


Deny Access To This Computer From | Blocks specified accounts and groups from accessing the computer 
The Network from the network. This setting overrides the policy that allows access 
from the network. 


Deny Log On As A Batch Job Blocks specified accounts and groups from signing in as a batch job. 
Overrides the Log On As A Batch job policy. 


Deny Log On As A Service When assigned, blocks service accounts from registering a process as 
a service. Overrides the Log On As A Service policy. Does not apply to 
Local System, Local Service, or Network Service accounts. 


Deny Log On Locally When assigned, blocks accounts from signing on locally. This policy 
overrides the Allow Log On Locally policy. 


Deny Log On Through Remote When assigned, blocks accounts from signing in by using Remote 
Desktop Services Desktop Services. This policy overrides the Allow Sign In Through 
Remote Desktop Services policy. 


Enable Computer And User Accounts | Determines whether you can configure the Trusted For Delegation set- 


To Be Trusted For Delegation ting on a user or a computer object. 

Force Shutdown From A Remote Accounts assigned this right are allowed to shut down computers from 
System remote locations on the network. 

Generate Security Audits Determines which accounts can use processes to add items to the 


security log. Because this right allows interaction with the security log, 
it presents a security risk when you assign it to a user account. 
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User rights assignment policy 


Impersonate A Client After 
Authentication 


Increase A Process Working Set 


Increase Scheduling Priority 


Load And Unload Device Drivers 


Lock Pages In Memory 


Log On As A Batch Job 


Log On As A Service 


Manage Auditing And Security Log 


Modify An Object Label 


Modify Firmware Environment 
Values 


Perform Volume Maintenance Tasks 


Profile Single Process 
Profile System Performance 
Remove Computer From Docking 


Station 


Replace A Process Level Token 


Function 


Allows apps running on behalf of a user to impersonate a client. This 
right can be a security risk, and you should assign it only to trusted 
users. 


Accounts assigned this right can increase or decrease the number of 
memory pages visible to the process in RAM. 


Accounts assigned this right can change the scheduling priority of a 
process. 


Accounts assigned this right can dynamically load and unload device 
drivers into kernel mode. This right is separate from the right to load 

and unload Plug and Play drivers. Assigning this right is a security risk 
because it grants access to the kernel mode. 


Accounts assigned this right can use a process to keep data stored 
in physical memory, blocking that data from being paged to virtual 
memory. 


Accounts assigned this right can be signed in to the computer by 
means of a batch-queue facility. This right is only relevant to older ver- 
sions of the Windows operating system, and you should not use it with 
Windows Server 2022. 


Allows a security principal to sign in as a service. You need to assign 
this right to any service that is configured to use a user account, rather 
than one of the built-in service accounts. 


Users assigned this right can configure object access auditing options 
for resources such as files and AD DS objects. Users assigned this right 
can also view events in the security log and clear the security log. 
Because attackers are likely to clear the security log as a way of hid- 
ing their tracks, you should not assign this right to user accounts that 
would not normally be assigned local Administrator permissions on a 
computer. 


Users assigned this right can modify the integrity level of objects, 
including files, Registry keys, or processes owned by other users. 


Determines which users can modify firmware environment variables. 
This policy is used primarily for modifying the boot configuration set- 
tings of Itanium-based computers. 


Determines which accounts can perform maintenance tasks on a vol- 
ume. Assigning this right is a security risk because it might allow access 
to data stored on the volume. 


Determines which accounts can leverage performance-monitoring 
tools to monitor nonsystem processes. 


Determines which accounts can leverage performance-monitoring 
tools to monitor system processes. 


When assigned, the user account can undock a portable computer 
from a docking station without signing in. 


When assigned, the account can call the CreateProcessAsUser API 
so that one service can trigger another. 
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User rights assignment policy Function 


Restore Files And Directories Allows users assigned this right the ability to bypass permissions on 
files, directories, and the Registry, so that they can overwrite these 
objects with restored data. This right represents a security risk because 
a user account assigned this right can overwrite Registry settings and 
replace existing permissions. 


Shut Down The System Assigns the ability for a locally signed-in user to shut down the operat- 
ing system. 


Synchronize Directory Service Data Assigns the ability to synchronize AD DS data. 


Take Ownership Of Files Or Other When assigned, the account can take ownership of any securable 
Objects object, including AD DS objects, files, folders, Registry keys, processes, 
and threads. Represents a security risk because it allows an assigned 
user the ability to take control of any securable object. 


Security Compliance Toolkit 


The Security Compliance Toolkit (SCT) is a collection of tools that allow you to manage security 
configuration baselines for Windows Server and other Microsoft products. The SCT includes 
the Policy Analyzer tool and the Local Group Policy Object (LGPO) tool. 


SCT provides security baselines for: 
m Windows Server 2022 

m Windows Server 2019 

m Windows Server 2016 

m Windows Server 2012 R2 

m Windows 11 

m Windows 10 

m Microsoft Office 


m Microsoft Edge 


POLICY ANALYZER TOOL 
The Policy Analyzer tool allows you to compare Group Policy Objects (GPOs). You can use the 
Policy Analyzer tool to perform the following tasks: 


m Determine which existing GPO settings are redundant or are internally consistent 
m Determine the differences between different versions or collections of Group Policies 
= Compare GPO settings against a computer's local policy and Registry settings 


When downloading the SCT, you can also download security baseline GPOs. To perform an 
analysis of a system against a baseline, perform the following steps: 


1. Open the Policy Analyzer and select Add to add downloaded baseline policies. You can 
specify a folder that contains multiple exported GPOs. When you do this, all exported 
GPOs under the selected folder path will be imported. Figure 1-5 shows the Policy File 
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Importer with policies related to Windows Server selected for importing. After selecting 
which policies to import, select Import and save the selection of files as a policy rule. 


2! Policy File importer - a K 
File Edit 
Policy Type = Filename Folder 
fae teas WS ST Defender Antivieus Computer registry pol C:\Users\Administrator\Downloads\| 
MSFT Windows 10 1509 and Server 1909 - Domain Securty See Template GptTmplinf C:\Users\Administrator\Downloads 
MSFT Windows 10 1909 and Server 1909 Member Server - Credential Guard Computer registry pol C:\Users\Administrator\Downloads' 
MSFT Windows Server 1909 - Domain Controller Computer tegieiry pol C:\Ueere\Administrator\Downloads\ 
MSFT Windows Server 1909 - Domain Controller User registry pol C:\Users \Adminstrator\Downloads\ 
MSFT Windows Server 1909 - Domain Controller Sec Template GptTmplinf C:\Users Administrator Downloads) 
MSFT Windows Server 1909 - Domain Controller Aude Policy  audtesv CC: \Users Administrator\Downloads 
MSFT Windows Server 1909 - Domain Controller Virtualization Based Securty Computer regaty. pol C:\Users\Administrater\Downloads 
MSFT Windows Server 1909 - Member Server Computer registry pol C:\Users\Administrator\Downloads 
MSFT Windows Server 1905 - Member Server User registrypol C:\Users \Administrator\Downloads\) 
MSFT Windows Server 1909 - Member Server Sec Template GptTmplint C:\Users\Administrator\Downloads\ 
MSFT Windows Server 1909 - Member Server Audt Policy audit.csv CC: \Users \Administrator\Downloads’ 
£ z 
| 
Import... 


FIGURE 1-5 Policy File Importer 


2. You can then use the View/Compare button to compare policies and determine where 
they differ, as shown in Figure 1-6. 


PI Policy Viewer - 301 items 
i Clipboard + View + dh Export ~ Options + 


Kerberos Service Ticket Operations 


This pokey setting afows you to audit events generated by Kerberos authentication ticket granting teket (TGT) requests submited for user accounts. 

# you configure this polcy setting. an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audits 
PING coe ono lg iota epa cure mance mahi TGT is request for a user account. 

Defaut on Cent editions: No Auditing. 

Defaut on Server edtions: Success. v 


FIGURE 1-6 Security Configuration Toolkit Policy Viewer 
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You can use the Policy Analyzer to export this report into a format that can be viewed in 
Excel. 


The Policy Analyzer is a reporting tool, and you cannot use it to directly apply policies. To 
apply policies, you can manually update GPO policies within your environment incremen- 
tally until they match the secure baseline. Taking an incremental approach allows you to test 
whether there are any unexpected consequences by applying new policies. 


You should avoid simply importing the security baseline policies into Active Directory and 
applying them unless you want to spend the next few weeks or months figuring out exactly 
which new policy setting you applied caused problems with your organization's existing 
workloads. 


LOCAL GROUP POLICY OBJECT TOOL 
The local GPO tool is a command-line utility that allows you to perform local Group Policy 
operations against domain-joined and nondomain-joined computers. You can use the local 
GPO tool to perform the following tasks: 

m Import settings into a computer's local Group Policy store from GPO backups 


m Import settings into a computer's local Group Policy store from component files, includ- 
ing Registry Policy (registry.pol), security templates, and advanced auditing CSV files 


m Export a computer's local policy settings to a GPO backup 
m Enable the use of Group Policy client-side extensions when processing local policy 


m Extract a Registry Policy (registry.pol) file into a readable text format that can then be 
edited and built into a new registry.pol file with different settings 


Disable NTLM 


NTLM is an older authentication protocol that is not as secure as Kerberos. You can disable 
NTLM by configuring the Network Security: Restrict NTLM: NTLM Authentication In This 
Domain policy in the default domain GPO and setting the policy to Disable, as shown in 

Figure 1-7. This policy can be found in the Policies\Windows Settings\Security Settings\Local 
Policies\Security Options node of the default domain GPO. Prior to disabling NTLM authentica- 
tion, you should configure the Network Security: Restrict NTLM: Audit Incoming NTLM Traffic 
policy to determine if and where the NTLM protocol is still being used in your organization's 
environment. 


NEED MORE REVIEW? DISABLE NTLM 


You can learn more about disabling NTLM at https://docs.microsoft.com/en-us/windows/ 
security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm- 


authentication-in-this-domain. 


Skill 1.1: Secure Windows Server operating system 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


17 


18 


Network security: Restrict NTLM: NTLM authentication in... ? x 
Security Policy Setting Explain 
E Network security: Restrict NTLM: NTLM authentication in this 


> domain 
[A] Define this policy setting 
Disable {v 
Modifying this setting may affect compatibility with clients, services, 
A and applications. 
For more information, see Network secunty: Restrict NTLM: NTLM 
in the Security Policy Technical 
ference 


[0K] | cen | [Ponty 


FIGURE 1-7 Disable NTLM 


Service accounts 


Service accounts allow services running on a computer to interact with the operating system as 
well as resources on the network. Windows Server uses three types of built-in service accounts, 
each of which is suitable for a specific set of circumstances. These accounts are as follows: 


m The Local System (NT AUTHORITY\SYSTEM) account has privileges that are equiva- 
lent to those assigned to a user account that is a member of the local Administrators 
group on the computer. A service that uses this account can act by using the computer 
account's credentials when interacting with other resources on the network. 


m The Local Service (NT AUTHORITY\LocalService) account has privileges that are equiva- 
lent to those assigned to a user account that is a member of the local Users group on 
the computer. A service that uses this account can access resources on the network 
without credentials. You use this account when a service does not need to interact with 
resources on the network and does not need local Administrator privileges on the com- 
puter on which it is running. 


m The Network Service (NT AUTHORITY\NetworkService) account has privileges that are 
equivalent to those assigned to a user account that is a member of the local Users group 
on the computer. A service that uses this account accesses resources on the network by 
using the computer account's credentials. 
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In the past, when you've needed to create a custom service account, you've probably cre- 
ated a user account and then assigned it an appropriate set of permissions. The challenge with 
this type of account is password management. Many organizations configure custom service 
accounts with passwords that never expire. 


A group-Managed Service Account (gMSA) is a special type of account that has AD DS man- 
age its password. The password of a gMSA is updated every 30 days. You don’t need to know 
the password of a gMSA, even when configuring a service to use that password, because gMSA 
accounts provide you with a domain-based service account identity without all the hassle of 
service account password management. 


You can only use a gMSA if the forest is running at the Windows Server 2012 functional level 
or higher. You also must have deployed the master root key for AD DS. You can deploy the 
master root key by running the following command using an account that is a member of the 
Enterprise Admins group: 


Add-KdsRootKey -EffectiveTime ((get-date) .addhours(-10)) 
You create the gMSA using the New-ADServiceAccount cmdlet. When creating the account, 
you specify a hostname as well as service principle names. These should be associated with the 


purpose for which you are creating the gMSA. For example, run this command to create a new 
gMSA named SYD-SVC1 that is associated with the hostname SYD-SVC1.adatum.com: 


New-ADServiceAccount SYD-SVC1 -DNSHOSTNAME SYD-SVC1.adatum.com 


gMSAs are stored in the Managed Service Accounts container, which you can view using 
Active Directory Administrative Center, as shown in Figure 1-8. 


E Active Directory Administrative Center = o x 
“ Adatum (local) > Managed Service Accounts Manage Help 
p: Active Directory... < Managed Service Accounts (1) Tasks 
E |= Filter 2 Ar A 9 |B 
YD-SVCI A 
IE Overview z SYD-SVC 
. 7 X 
= TB kaa ia kisi 
NG Move.. 
Managed Service Accounts msDS-Gro. 
P ie 
Bm Dynamic Access Control » nee 
Managed Service Accounts a 
WB Authentication > 
New 4 
Authentication Policies 
2 : SYD-SVC1 v Delete 
Global h 
5 a Object class: msOS-GroupManagedService/ Modified: 3/10/2017 11:52 PM Move. 
Description, Search under this node 
Properties 
Summary 
WINDOWS POWERSHELL HISTORY A 


FIGURE 1-8 Managed Service Accounts container 
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Once the gMSA is created, you need to configure permissions for specific computers to be 
able to install and use the account. The simplest way to do this is to create a security group, and 
then use the Set-ADSeviceAccount cmdlet to assign the group permissions to the account. You 
then add computers to the group. For example, to allow computers in the SYD-SVRS group to 
use the SYD-SVC1 gMSA, run this command: 


Set-ADServiceAccount -Identity SYD-SVC1 -PrincipalsAl lowedToRetrieveManagedPassword 
SYD-SVRS 


Once you've added a computer to the group that you've given permission to retrieve the 
account, you can install the account on the computer using the Instal1-ADServiceAccount 
cmdlet. Once the account is installed, you can assign it to a service by setting the Log On set- 
tings for the service, as shown in Figure 1-9. You only need to specify the account name and 
you can browse to the account. You don’t need to specify the password setting because the 
password is managed by Active Directory. 


Simple Mail Transfer Protocol (SMTP) Properties (Local Computer) x 


General LogOn Recovery Dependencies 
Log on as: 
© Local System account 


Allow service to interact with desktop 
@ Ihis account: 


Password: 


Conium password. s..000000000000 


OK Cancel Apply 


FIGURE 1-9 Group-Managed Service Account 


A virtual account is the computer local equivalent of a group-Managed Service Account 
(gMSA). You can create a virtual account by editing the properties of a service and setting the 
account name to NT SERVICE\<ServiceName>. As with a gMSA, you don't need to specify a 
password because this is managed automatically by the operating system. 


NEED MORE REVIEW? GROUP-MANAGED SERVICE ACCOUNTS 


You can learn more about gMSAs at https://docs.microsoft.com/en-us/windows-server/ 


security/group-managed-service-accounts/group-managed-service-accounts-overview. 
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Configure Windows Server Auditing 


There are two sets of audit policies in a Group Policy Object (GPO): traditional audit poli- 

cies and advanced audit policies. The traditional audit policies are located in the Computer 
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policies node. 
These are the audit policies that have been available with the Windows Server operating sys- 
tem since Windows 2000. The drawback of these policies is that they are general, and you can't 
be specific in the way you configure auditing. When you use these policies, you not only audit 
the events that you're interested in, but you also end up auditing many events that you don't 
need to know about. 


The advanced audit policies enable you to be more specific in the types of activity you 
audit. The advanced audit policies are located under the Computer Configuration\Policies\ 
Windows Settings\Security Settings\Advanced Audit Policy Configuration node. 


There are 10 groups of audit policy settings and 61 individual audit policies available 
through Advanced Audit Policy Configuration. The audit policy groups contain the following 
settings: 


= Account Logon You can audit credential validation and Kerberos-specific operations. 


= Account Management You can audit account management operations, such as 
changes to computer accounts, user accounts, and group accounts. 


= Detailed Tracking You can audit encryption events, process creation, process termi- 
nation, and RPC events. 


m DS Access You can audit Active Directory access and functionality. 


m Logon/Logoff You can audit logon, logoff, and other account activity events, includ- 
ing IPsec and Network Policy Server (NPS) events. 


m Object Access You can audit access to objects, including files, folders, applications, 
and the Registry. 


= Policy Change You can audit changes to audit policy. 
m Privilege Use You can audit the use of privileges. 
m System You can audit changes to the security subsystem. 


= Global Object Access Auditing You can configure expression-based audit policies 
for files and the Registry. 


Expression-based audit policies 


Traditional object audit policies involve specifying a group and configuring the types of activi- 
ties that trigger an event to be written to the security log. For example, you can specify that an 
audit event is written each time a member of the Managers group accesses a file in a specific 
folder. 

Expression-based audit policies enable you to go further. These policies enable you to set 
conditions for when auditing might occur. For example, you might want to configure auditing 
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so that tracking only occurs for members of the Managers group who have access to sensitive 
files when they access those files from computers that aren't part of the Managers_Computers 
group. This way, you don’t bother tracking access when members of this group access sensitive 
files from within the office, but you do track all access to those sensitive files when members of 
this group are accessing them from an unusual location. 


You can integrate expression-based audit policies with Dynamic Access Control (DAC) to 
create targeted audit policies that are based on user, computer, and resource claims. Instead of 
just adding claims based on user or device group membership, the claim can be based on doc- 
ument metadata, such as confidentiality settings and site location. You can configure expres- 
sion-based audit policies at the file or folder level or apply them through Group Policy by using 
policies in the Global Object Access Auditing node of Advanced Audit Policy Configuration. 


File and folder auditing 


After you configure object access auditing either through traditional or advanced audit poli- 
cies, you can configure auditing at the file and folder levels. The simplest way to configure 
auditing is at the folder level because you can configure all folders and subfolders to inherit 
those auditing settings. If you change the auditing settings at the folder level, you can use 
the Replace All Child Object Auditing Entries option to apply the new auditing settings to the 
folder’s child files and folders. 


You can configure auditing for a specific file and folder through the Advanced button on 
the Security tab of the object's properties. You can configure basic success and failure auditing. 
You can also configure expression-based auditing so that a specific security group member's 
activity is audited only if other conditions, such as membership of other security groups, are 
also met. 


The advantage of using Global Object Access Auditing is that when you configure it, you 
can use file classification to apply metadata to files and then automatically have auditing 
enabled for those files. For example, by using file classification and DAC, you can configure a 
Windows Server file server so that all files containing the phrase “code secret” are marked as 
Sensitive. You can then configure Global Object Access Auditing so that all attempts to access 
files marked as Sensitive are automatically audited. Instead of having an administrator track 
down all the files that are sensitive and configuring auditing on those files, the process is auto- 
matic. All that needs to happen to trigger the audit is that the phrase “code secret” is included 
in the file. 


Using auditpol with auditing 
Auditpol.exe is a command-line utility that you can use to configure and manage audit policy 


settings from an elevated command prompt. You can use auditpol.exe to perform the follow- 
ing tasks: 


m View the current audit policy settings with the /Get subcommand 


= Set audit policy settings with the /Set subcommand 
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m Display selectable policy elements with the /List subcommand 
m Backup and restore audit policies using the /Backup and /Restore subcommands 


m Delete all per-user audit policy settings and reset the system policy settings using the 
/Clear subcommand 


= Remove all per-user audit policy settings and disable all system policy settings using the 
/Remove subcommand 


For example, to enable success and failure auditing for the File System subcategory of 
Object Access, execute the following command: 


Auditpol.exe /set /subcategory:"File System" /success:Enable /failure:Enable 


To view the current audit policy settings for all audit policies, issue the following command: 


Auditpol.exe /get /category:* 


To view the current audit policy settings for a specific category, such as Object Access, issue 
the following command: 


Auditpol.exe /get /category:"Object Access" 


NEED MORE REVIEW? AD DS AUDITING STEP-BY-STEP GUIDE 


You can learn more about Auditing Active Directory at https://docs.microsoft.com/en-us/ 
previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731607(v=ws.10). 


(J EXAM TIP 


You can use exploit protection to stop applications from spawning child processes. 


Skill 1.2: Secure a hybrid Active Directory 
infrastructure 


Active Directory Domain Services (AD DS) is the primary identity store for hybrid Windows 
Server environments. Attackers that wish to commandeer your organization's hybrid infra- 
structure will often attempt to gain control of AD DS. After an attacker has control of AD DS, 
they can create their own privileged identities to accomplish whatever nefarious task they wish 
to across your organization's on-premises and cloud resources. This skill addresses the variety 
of steps that you can take to harden AD DS and reduce the chance that an attacker will be able 
to take control of your organization's identity infrastructure. 
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This section covers how to: 
= Configure password policies 
m Enable password block lists 
m Manage protected users 
m Manage account security on a Read-Only Domain Controller (RODC) 
m Harden domain controllers 
= Configure authentication policies silos 
= Restrict access to domain controllers 
= Configure account security 
m Manage AD built-in administrative groups 
=m Manage AD delegation 
= Implement and manage Microsoft Defender for Identity 


= Implement and manage Azure AD self-service password reset 


Configure password policies 


Most of the accounts used in your organization will be domain-based rather than local 
accounts. Except for the occasional local account, users, services, and computers authenticate 
against AD DS. By using password policies, administrators can specify the rules for allowable 
passwords. They determine how long and how complicated passwords must be, as well as how 
often they must be changed, how often they can be changed, and whether previously used 
passwords can be used again. 


Unless you take special steps, the properties of passwords used with domain accounts are 
determined through domain-based password policies. You configure password policies by 
editing Group Policy Objects (GPOs) linked at the domain level. This fact is important, and 
although you can set password policies at GPOs linked at the organizational unit (OU) and site 
level, these policies have no effect on the properties of user passwords. 


Remember that you can have only one set of domain password policies configured through 
Group Policy. The GPO order at the domain level determines the domain password policy. 

The exceptions to the rule about one password policy per domain are fine-grained password 
policies. 

Password policies are located in the Computer Configuration\Policies\Windows Settings\ 
Security Settings\Account Policies node of a GPO. Although most administrators think of 
password policy and account lockout policy as parts of the same whole, they are actually 
separate. Windows Server ships with a default password policy, but account lockout policy is 
not enabled. 
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Password policy items 


This list shows five main password policies that you are likely to use when configuring a 
password policy for your organization, and one that you probably won't use. These password 
policies are the following: 


m Enforce password history This policy means that the configured number of pre- 
viously used passwords is stored within Active Directory. It stops users from using 
the same set of small passwords. The default and maximum value is 24 remembered 
passwords. 


= Maximum password age This policy specifies the maximum length of time that can 
elapse before a password must be changed. The default value is 42 days. You can set it 
to 999 days. Setting the value to 0 days means that there is no maximum password age. 


= Minimum password age You use this policy to restrict users from changing their 
password instantly. This policy exists because some users spend a couple of minutes 
repeatedly changing their password until they have exhausted the password history and 
return to using their original password. Users can change their password after the speci- 
fied period has elapsed. The default value is 1 day. 


= Minimum password length This policy sets the minimum number of characters in a 
password. Longer passwords are more secure than shorter ones. Windows Server sup- 
ports passwords up to 128 characters long when changed using GUI tools, and up to 256 
when modified using PowerShell. 


= Password must meet complexity requirements This policy ensures that passwords 
use a mix of numerals, symbols, and uppercase and lowercase alphabet characters. 
When enabled, it also stops users from using their account name in the password. 


The policy that you are unlikely to need is the Store Passwords Using Reversible Encryption 
policy. This policy has been available in most previous versions of the Windows Server operat- 
ing system. It provides backward compatibility for applications that could not access passwords 
stored in Active Directory using the native method of encryption. Unless your organization is 
running some software that was written back when Windows NT 4.0 was the Windows Server 
operating system, you probably won't need to enable this policy. 


Delegate password settings permissions 


People tend to be good at remembering passwords that they have used for a long time. They 
tend not to be so good at remembering new passwords, especially if those passwords contain 
a mix of numbers, letters, and symbols. Users who frequently have to change their passwords 
are more likely to end up forgetting those passwords. If an account lockout policy is enforced, 
users are more likely to end up calling the service desk to get their password reset. The stricter 
an organization's password policy is, the more time the service desk has to spend untangling 
users from forgotten passwords. 
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Instead of having users call the service desk to have their password reset, you can del- 
egate the ability to reset user passwords to someone in the user's own department, such as 
an administrative assistant or office manager. Taking this step can increase security because 
someone in the user's own department can more easily verify the user's identity than a service 
desk technician can. It also shifts work away from the service desk, which enables service desk 
technicians to concentrate on other tasks. 


The default Active Directory settings give members of the Account Operators, Domain 
Admins, or Enterprise Admins Active Directory groups the right to change user passwords. 
You can delegate the ability to manage password settings on a per-OU basis through the 
delegation of a control wizard. When you do this, you move user accounts into specific OUs 
that match your administrative requirements. For example, you can move all user accounts of 
people who work in the research department to the Research OU, and then delegate the right 
to reset passwords and force password change at the next logon to the research department's 
departmental manager. You can also delegate the ability to manage password settings at the 
domain level, though most organizations do this by adding users to the Account Operators, 
Domain Admins, or Enterprise Admins groups. 


To delegate the right to reset passwords and force password changes at the next logon, run 
the Delegation of Control Wizard. You can access this wizard by right-clicking an OU in Active 
Directory Users and Computers and then selecting Delegate Control. You should be careful to 
select only the Reset user passwords and force password change at next logon task and not 
grant non-IT department users the right to perform other tasks. 


Larger organizations should consider providing a self-service password reset portal. Self- 
service password reset portals enable users to reset their Active Directory user account pass- 
words after performing a series of tasks that verify their identity. This process provides users 
with a quick method of resetting forgotten passwords and reduces the number of password 
reset requests for service desk technicians. Connecting your on-premises interest of AD DS to 
Azure Active Directory provides you with the option of implementing self-service password 
reset. 


Fine-grained password policies 


Fine-grained password policies enable you to have separate password policies within a single 
domain. For example, with fine-grained password policies you can have a password policy 
that applies to general users and have a stricter set of policies that apply to users with sensi- 
tive accounts, such as members of the IT department. Unlike Group Policy—based password 
policies, which apply at the domain level, you apply fine-grained password policies to global 
security groups or individual user accounts. This means that multiple fine-grained password 
policies might apply to a single account. In this situation, use precedence settings to ensure 
that the appropriate policy always applies. (Precedence is covered later in this lesson.) Fine- 
grained password policies can't be applied to domain local or universal security groups, only 
to global security groups. The Active Directory domain must be at the Windows Server 2008 or 
later functional level or higher before you can use fine-grained password policies. 
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MANAGING FINE-GRAINED PASSWORD POLICIES 

You create and manage fine-grained password policies through the Active Directory Admin- 
istrative Center. To create a new Password Settings Object (PSO), open the Active Directory 
Administrative Center and navigate to the Password Settings Container (PSC), which is located 
in the System Container of the domain. From the Tasks menu, select New, and then select Pass- 
word Settings. The PSC enables you to view the precedence of PSOs. Password settings with 
lower precedence values override password settings with higher precedence values. 


CONFIGURING PASSWORD SETTINGS OBJECTS 

A Password Settings Object (PSO) contains settings for both password policy and account 
lockout policy. A PSO applies to the groups and users specified in the Directly Applies To area. 
If a PSO applies to a user account, either directly or indirectly through group membership, that 
PSO overrides the existing password and account lockout policies configured at the domain 
level. 


PSOs contain the following options: 
m Name Enables you to configure a name for the PSO. 


m Precedence When multiple PSOs apply to an account, the PSO with the lowest prece- 
dence value has priority. 

= Enforce Minimum Password Length Minimum password length that can be used by 
users subject to the policy. 

= Enforce Password History The number of passwords remembered by Active Direc- 
tory. Remembered passwords can't be reused. 

= Password Must Meet Complexity Requirements A password must contain a mix of 
numbers, symbols, and uppercase and lowercase letters. 

m Store Password Using Reversible Encryption Provides backward compatibility with 
older software and is rarely used in Windows Server environments. 


= Protect From Accidental Deletion The user account can't be accidentally deleted. 
Although this setting is not available in Group Policy password or account lockout set- 
tings, you can edit an object directly to configure it. 


= Enforce Minimum Password Age The minimum length of time users must have a 
password before they are eligible to change it. 


= Enforce Maximum Password Age The maximum number of days that users can go 
without changing their password. 


= Enforce Account Lockout Policy You can configure the following three policies with 
this policy enabled: 


= Number of Failed Logon Attempts Allowed The number of incorrect password 
entries that can be made in succession before a lockout is triggered. 


= Reset Failed Logon Attempts Count After The period of time in which the incor- 
rect password entries must be made. 
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= Account Will Be Locked Out Policy can be set either to a specific number of min- 
utes or to a setting for which the administrator must manually unlock the account. 


Determining password settings 


If your organization uses a number of fine-grained password policies, it might be difficult to 
determine, at a glance, which password policy applies to a particular user because PSOs can 

be applied to multiple groups and users, and users can be members of multiple groups. Rather 
than work everything out manually, the Active Directory Administrative Center's Global Search 
function provides the following criteria to determine which fine-grained password policy 
applies to a specific user or group: 


= Directly Applied Password Settings For A Specific User You can determine which 
PSOs directly apply to a specific user account. PSOs that apply to security groups of 
which the user account is a member are not listed. 


= Directly Applied Password Settings For A Specific Global Security Group You can 
determine which PSOs directly apply to a specific security group. 


= Resultant Password Settings For A Specific User You can determine which PSO 
applies to a specific user account based on directly applied PSOs as well as PSOs that 
apply indirectly through group membership. 


Establishing balanced password policies 


Password policies require balance, and a password policy that is too strict can be as detri- 
mental as one that is not strict enough. For example, some organizations that implement 
strict password policies find that users write complicated passwords down because they can’t 
remember them. By increasing the severity of their password policies, the IT department may 
prompt users to behave in a way that makes the organization less secure. 


When considering password policies, keep the following in mind: 


m Users dislike changing their password. Many want to log on and get to work rather than 
coming up with a new password to remember that also meets the requirements of the 
password policy. 

m Users are more likely to forget a new password than one they have been using for some 
time. Users who constantly forget passwords tend to do things that decrease security 
such as writing those passwords on notes taped to their monitors. 

= Ifyou increase the minimum password length, forcing users to use pass phrases, you 
can also increase the maximum time before the password expires. Increasing password 
length increases security by making the password less guessable. Although increasing 
maximum password age reduces password security, this decrease is not as significant as 
the improvement achieved by increasing password length. 

Remember that each call to the service desk costs the organization money and time. You 

should aim to minimize the number of password reset requests without decreasing password 
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security. An alternative option is to implement Self-Service Password Reset through integration 
with Azure Active Directory. 


Account lockout settings 


An account lockout policy determines what happens when a person enters an incorrect pass- 
word a certain number of times. The default Windows Server settings do not have account 
lockout policy configured, so users can keep entering incorrect passwords until they give up in 
frustration. Unfortunately, enabling users to keep entering incorrect passwords is a security risk 
because it allows “dictionary attacks,” in which an automated system keeps entering passwords 
from a list until it locates the correct one. 


These policies enable you to do the following: 


= Account Lockout Duration Use this policy to specify how long an account is locked 
out. When enabled, this setting defaults to 30 minutes. If you set this policy to 0, the 
account is locked out until someone with the appropriate privileges can unlock it. 


= Account Lockout Threshold Use this policy to specify the number of invalid logon 
attempts that trigger an account lockout. When enabled, the default value is 5, but you 
can set it to 999. The number of invalid logons must occur within the period specified 
in the Reset Account Lockout Counter After policy. A value of 0 will mean that account 
lockout will not be triggered. 


= Reset Account Lockout Counter After Use this policy to specify the amount of time 
in which the number of invalid logon attempts must occur. When enabled, this policy 
defaults to a value of 30 minutes. If the defaults are used and a user enters an incorrect 
password three times in 30 minutes, the account is locked out for 30 minutes. If a user 
enters an incorrect password three times in 31 minutes, however, the account is not 
locked out. 


You have to consider balance when configuring lockout policies. How many failed attempts 
suggest that users won't remember their password? For the average user, a lockout of 30 
minutes is functionally equivalent to a lockout that never expires. Even if you explain to users a 
thousand times that they have to wait 30 minutes and try again, they will still ring the help desk 
within moments of being locked out. Consider a 1-minute lockout and mention it using the 
logon disclaimer Group Policy item. It enables you to protect against dictionary attacks and 
probably minimize calls to the service desk. 


Account management tasks 


Having a set of account policies in place is only the first step in a comprehensive account man- 
agement strategy. Administrators must regularly check the status of user accounts to deter- 
mine how well account policies are functioning, as well as locate any accounts in which there is 
suspicious activity. 
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ACCOUNTS WITH NONEKPIRING PASSWORDS 


You can configure an account so that the password never expires. When you do this, the 
user associated with the account never has to change the password. Password policies don’t 
override accounts that have been explicitly configured so that their passwords do not expire. 
Selecting the Password Never Expires setting, as shown in Figure 1-10, exempts an account 
from any password-expiration policies. 


Prime Properties ? x 
Member Of DiaHin Environment Sessions 
Remote control Remote Desktop Services Profile COM 


General Address Account Profile Telephones Organization 
User logon name: 


prime @taiwindtraders. intemal < 


User logon name (pre-Windows 2000): 
TAILWINDTRADERS\ prime 


C] User must change password at next logon A 
[] User cannot change password 

7] Password never expires 

L] Store password using reversible encryption v 
Account expires 

©) Never 

O End of. Sunday February 27, 2022 

OK Cancel Apply Help 


FIGURE 1-10 Password never expires setting 


To configure an account so that password policies apply, you need to deselect the Password 
Never Expires option. You should also force the user to change the password at the next logon 
as if the password was configured not to expire because it is reasonable to assume that the 
user hasn't changed it recently. You can figure out which accounts have been configured not to 
expire by using the Active Directory Administrative Center and performing a query to find all 
accounts that have been configured with no expiration date, as shown in Figure 1-11. 
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FIGURE 1-11 Locate accounts with no password expiration 


You can then modify the properties of these accounts by selecting them all and selecting 
the Password Never Expires option in the Multiple User Account properties dialog box, which 
is available when you select and view the properties of multiple accounts in the Active Direc- 
tory Administrative Center Console. When performing this task, you should also force users to 
change their passwords on their next logon, which ensures that password policies apply in the 
future. 


Many systems administrators have the bad habit of configuring their passwords not to 
expire simply because they realize how annoying it is to have to change passwords constantly. 
Given that systems administrator accounts are usually the most powerful in the organization, 
it is a bad idea to enable them to exempt themselves from an organizational password policy. 
If anything, systems administrators should be subject to more stringent password policies than 
ordinary users. You can configure stricter password policies for a specific subset of users using 
fine-grained password policies. 


LOCKED-OUT ACCOUNTS 

As you learned earlier, the length of time an account is locked out depends on account lockout 
policies. Many organizations that permanently lock out accounts when a user enters incor- 
rect passwords in succession wait for the locked-out user to call the service desk to request a 
password reset. Although most users contact the service desk quickly when their user account 
is locked out, there are situations in which this does not occur, such as when someone attempts 
to gain access to a coworker’s account while that coworker is on leave. You can use the Active 
Directory Administrative Center Global Search option to locate users with enabled but locked- 
out accounts. You do this by selecting the Users with enabled but locked accounts search 
criteria. You should further investigate locked accounts when the user associated with the 
account has not contacted the service desk. 
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INACTIVE ACCOUNTS 

Although the IT department is often notified when a person new to the organization needs a 
new user account, the IT department is not always notified when people leave the organiza- 
tion. As a result, most organizations have a number of inactive user accounts that are associ- 
ated with people no longer directly associated with the organization. There can be good 
reasons for the inactivity; for example, a person may be on maternity or long service leave. As 
an administrator, you should frequently search for accounts in which the user has not signed 
on for a good length of time. You can disable user accounts associated with users who have 
temporarily departed the organization. This gives you the option of reenabling the account 
when the user returns. You can later remove user accounts associated with users who have left 
the organization. 


Disabling an account allows you to reactivate the account if it is necessary to access 
resources to which the departed user had access. Some organizations have a special “Disabled 
User Accounts” OU to store these accounts. Deleting an account is a more permanent option. 
Although it is possible to recover deleted items if backups are available, it gets increasingly dif- 
ficult once the tombstone lifetime expires. 

You can locate inactive accounts by using the Global Search function in the Active Direc- 
tory Administrative Center to search for users with enabled accounts who have not signed on 
for more than a given number of days. The value you choose here will depend on the nature of 
your environment, but you should definitely investigate any active enabled accounts in which a 
logon has not occurred for more than 50 days. 


Local Administrator Password Solution 


Local Administrator Password Solution (LAPS) is a tool that you can use to manage the pass- 
words of local Administrator accounts of each domain-joined computer in your environment. 
LAPS allows you to avoid the problem present in many environments in which every computer 
in the domain with a default local Administrator account is configured with a common 
password that never expires. LAPS provides the following benefits: 


m Local Administrator passwords are unique on each computer managed by LAPS. 

m Local Administrator passwords are randomized and changed on a regular basis. 

m LAPS stores local Administrator passwords and secrets securely within AD DS. 

m Access to passwords and secrets is controlled by configurable permissions. 

m Passwords retrieved by LAPS are transmitted to the client in a secure encrypted manner. 


You install the LAPS agent on each computer that you wish to manage. The LAPS agent 
is then managed through a Group Policy Client Side Extension. Installing LAPS requires an 
update to the Active Directory schema. You perform this update by running the Update- 
AdmPwdADSchema cmdlet, which is included in a PowerShell module made available when you 
install LAPS on a computer. To run this update, the account running the cmdlet must be a 
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member of the Schema Admins group, and this cmdlet should be run on a computer that is in 
the same Active Directory site as the computer that holds the Schema Master role for 
the forest. 


When a Group Policy refresh occurs, LAPS does the following: 

m LAPS checks whether the password of the local Administrator account has expired. 
m Ifthe password hasn't expired, LAPS does nothing. 

m Ifthe password has expired, LAPS performs the following steps: 


m Changes the local Administrator password to a new random value based on the con- 
figured parameters for local Administrator passwords. 

m Transmits the new password to AD DS, where it is stored in a special confidential 
attribute associated with the computer account of the computer that has had its local 
Administrator account password updated. 

m Transmits the new password expiration date to AD DS, where it is stored in a special 
confidential attribute associated with the computer account of the computer that has 
had its local Administrator account password updated. 

By default, accounts in the Domain and Enterprise Administrators group can retrieve 
local Administrator accounts. Domain and Enterprise Administrators also can trigger a local 
Administrator password change on a specific computer. 

To configure computers so that their passwords are managed by LAPS, perform the 
following steps: 

m Move computer accounts of computers that you want to use LAPS to manage pass- 
words to an OU. 

m Install LAPS on the computers for which you want to manage the local Administrator 
password. You'll also need to install LAPS on an administrative computer that you can 
use to install the necessary template. 

m Install the GPO templates into AD DS. You can do this by running the installer and 
selecting the PowerShell module and the GPO Editor templates installation option. 

m Use the Set-AdmPwdComputerSelfPermission cmdlet to assign computers in an OU the 
ability to update the password of their local Administrator account when it expires. For 
example, for computers in the Adelaide OU, run the command: 


Set-AdmPwdComputerSelfPermission -Identity "Adelaide" 


Once the templates are installed, you'll be able to configure the following policies: 


= Enable local admin password management This policy enables LAPS and allows 
you to manage the local Administrator account password centrally. 


m Password settings This policy allows you to configure the complexity, length, and 
maximum age of the local Administrator password. The default is that upper and 
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lowercase letters, numbers, and special characters are used. The default password 
length is 14 characters, and the default password maximum age is 30 days. 


= Do not allow password expiration time longer than required When enabled, the 
password is updated according to domain password expiration policy. 


= Name of administrator account to manage Use this policy to identify custom local 
Administrator accounts. 


To view local Administrator passwords, you can use the client that comes with the LAPS 
installer, issue the Get-AdmPwdPassword cmdlet, or view a computer's ms-Mcs-AdmPwd attribute. 


NEED MORE REVIEW? LOCAL ADMINISTRATOR PASSWORD SOLUTION 


You can learn more about LAPS at https://docs.microsoft.com/en-us/previous-versions/ 
mt227395(v=msdn.10). 


Enable password block lists 


Azure AD Password Protection allows you to detect and block known weak passwords. You can 
also use Azure AD Password Protection to block specific terms from being used in passwords, 
such as those associated with your organization, popular anime characters, or the local football 
team. 


Checks for weak passwords occur on the domain controller, and password hash synchroni- 
zation is not required for the implementation of Azure AD Password Protection. Communica- 
tion with Azure occurs through a domain-joined computer that has the Azure AD Password 
Protection Proxy service deployed. This service is responsible for ensuring that password 
hygiene policies configured in Azure are distributed to domain controllers. Azure AD Password 
Protection does not require domain controllers to be able to directly communicate with Azure. 


Password policies are only enforced on domain controllers where the Azure AD Password 
Protection agent is installed. To ensure that password protection enforcement occurs consis- 
tently, you will need to deploy the password protection agent on all domain controllers in a 
domain. 


Manage protected users 


The Protected Users group, shown in Figure 1-12, provides you with a method of protecting 
highly privileged user accounts from being compromised. It does this by blocking the use of 
less-secure security and authentication options. 
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Protected Users Properties ? x 


General Members Member OT Managed By 


R, Protected Users 


Group name [pre-\yindows 2000} Protec Š | 
Description [Members of this group are afforded addtional protection | 
Emak 


Group scope Group type 
Domain local Security 
Global Distribution 
Universal 

Notes: 


E] NE 


FIGURE 1-12 Protected Users Properties 


For example, credentials are not cached if an account that is a member of the Protected 
Users group signs in to a computer running the Windows 8.1 or later client operating system or 
the Windows Server 2012 R2 or later server operating system. Additionally, accounts that are 
members of this group cannot use the following security options: 


m Default credential delegation (CredSSP) 

m Windows Digest 

a NTLM 

= Kerberos long-term keys 

m Sign-on offline 

If the domain functional level is Windows Server 2012 R2 or higher, user accounts that are 
members of the Protected Users group cannot: 


m Use NT LAN Manager (NTLM) for authentication 

m Use DES for Kerberos pre-authentication 

m Use RC4 cipher suites for Kerberos pre-authentication 

= Be delegated using constrained delegation 

m Be delegated using unconstrained delegation 

m Renew user tickets (TGTs) past the initial 240-minute lifetime 


Only user accounts should be added to the Protected Users group. You should not add 
computer accounts or service accounts to this group. In secure environments, all privileged 
accounts should be members of this group, with exceptions occurring only when specific 
incompatibilities arise that cannot be resolved in another way. 
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NEED MORE REVIEW? PROTECTED USERS 


You can learn more about protected users at https://docs.microsoft.com/en-us/ 
previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn466518(v=ws.11). 


Manage account security on a Read-Only Domain 
Controller (RODC) 


Read-only domain controllers (RODCs) are a special type of domain controller. They host a 
read-only copy of the AD DS database. Rather than storing the passwords for all users in the 
domain, RODCs only store the passwords of a specific set of accounts that you configure. The 
first domain controller in a new domain or forest cannot be an RODC. 


The justification for RODCs is that DCs sometimes need to be located in places where serv- 
ers have poor physical security and might be stolen. For example, many organizations have 
branch offices where servers are kept under someone's desk. A good rule of thumb is that you 
should consider a location insecure if it is accessible to anyone other than IT staff. If a jani- 
tor can pull out a computer's power cord to plug in a vacuum cleaner, the computer isn’t in a 
secure location. 


If a server that hosts a domain controller is stolen, the best practice is to reset the account 
passwords that might have been compromised because it's possible, with the correct tools, to 
extract passwords from the AD DS database if you have direct access to it. If an ordinary DC 
is stolen, you would, in theory, need to reset the passwords of every account in the domain 
because you could never be sure that someone hadn't gained access to the AD DS database 
and found a way to extract the passwords of people in your organization. 


With shielded VMs and shielded fabrics, it’s possible to run a DC in a manner where the VM 
itself is protected by encryption. In the event that the host server is stolen, the AD DS database 
cannot be recovered because the contents of the virtualization server's storage are encrypted 
using BitLocker. 


Concerns about the physical security of a DC are the primary reason to deploy an RODC, 
so it is extremely unlikely that you would have both an RODC and a writable DC at the same 
site. RODCs are for sites where the domain controller once was placed in a location that wasn’t 
secure. However, if you do have concerns about the security of a location, it’s probably not a 
great idea to deploy a domain controller at that location! 


RODC password replication 

One of the most important steps in configuring an RODC is limiting which passwords can be 
replicated down to the server from a writable domain controller. The default configuration of 
an RODC has it store almost everything from AD DS except for user and computer account 
passwords. In the event that a user or computer account needs to be authenticated against AD 
DS, the RODC acts as a proxy for a writable Windows Server DC. The authentication occurs but 
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depends on the WAN link to be functional because if you could host a writable DC locally, you 
wouldn't need the RODC. 


Although you can configure an RODC to not cache any passwords locally, you can configure 
an RODC to cache the passwords of select staff working at a branch office to speed their login. 
Caching passwords also allows branch office users to log in if the WAN link fails. If the WAN link 
fails and the user's credentials are not cached, the user is simply unable to log in to the domain. 


You configure which accounts can authenticate using the RODC by using the Password 
Replication Policy, as shown in Figure 1-13. By default, only members of the Allowed RODC 
Password Replication group can use the RODC to authenticate. This is only the case if the user 
account is not a member of the Account Operators, Administrators, Backup Operators, Server 
Operators, or Denied RODC Password Replication Group groups. 


i Oo x 
MEL-DC2 TASKS v) [SECTIONS v 
Computer | Extensions DDA A 
mangat Sy Dial-in I Security | Location 
Member Of Password Replication Policy Attribute Editor = 
Policy This is a Read-only Domain Controller (RODC). An RODC stores users and 
Computers passwords according to the policy below. Only passwords for 
Silo accounts that are in the Allow groups and not in the Deny groups can be 
replicated to the ROOC. 
Relegation Groups, users and computers: 
Extensions Name Active Directory Dom... Setting 
Account Operators contosointemal/Bultin Deny 
Administrators contoso intemal/Buatin 


A) More Information 


FIGURE 1-13 Password Replication Policy 


RODC partial attribute set 


You can configure Active Directory so that only specific attributes on AD DS objects are 
replicated to an RODC. You would do this because some applications are configured to store 
sensitive data such as passwords or encryption keys as attributes for an object. If you add these 
sensitive attributes to the filtered attributes set, you can ensure that this information will not be 
replicated and stored on an RODC. 
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It is not possible to add system-critical attributes to the RODC filtered attribute set. Attri- 
butes that cannot be added to the filtered attribute set are those required for AD DS, the Local 
Security Authority (LSA), Security Accounts Manager (SAM), and Microsoft-specific security 
services providers to be able to function correctly. You mark an attribute as confidential by 
removing the Read permission for that attribute for the Authenticated Users group. 


RODC local administrators 


Because you deploy RODCs as a security measure, they are almost always placed at branch 
office sites. Resources at branch office sites are often sparse, so it is also likely that you'll co- 
locate other services on the server hosting the RODC role. For example, a server that functions 
as an RODC can also function as a file server, DNS server, DHCP server, and local intranet server. 
You can allow a user without Domain Admin privileges to deploy an RODC if you have pre- 
created an RODC account and added it to the appropriate Active Directory Domain Services 
site and the user is a member of the local Administrators group on the computer. You can 
perform this task in PowerShell or Active Directory Administrative Center. 


If the computer hosting the RODC role also needs to host other roles, you might need to 
grant administrator access to a user who works at the branch office (but who is not a member 
of your organization’s usual IT staff) in case your normal remote administration techniques 
don't work. RODCs differ from normal domain controllers in that you can grant local adminis- 
trator access without having to make the user a member of the Domain Admins group. 


To configure a user to function as a local administrator on the computer that hosts the 
RODC role, edit the properties of the RODC’s computer account and configure a security group 
for the Managed By setting. 


Decommissioning an RODC 


If you suspect that an RODC has been compromised, you can delete the RODC’s account from 
the Domain Controllers container in Active Directory Users and Computers. When you do this, 
you get the option of resetting all passwords for user and computer accounts that were cached 
on the RODC, as well as the option of exporting a list of all potentially compromised accounts. 


NEED MORE REVIEW? READ-ONLY DOMAIN CONTROLLERS 


You can learn more about RODCs at https://docs.microsoft.com/windows-server/identity/ 
ad-ds/deploy/rodc/install-a-windows-server-2012-active-directory-read-only-domain- 
controller--rodc---level-200-. 


Harden domain controllers 


Domain controllers are the vaults that host the “crown jewels” of any Windows Server network. 
Attackers that can compromise a domain controller can compromise the Active Directory 
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instance hosted on that domain controller. This gives attackers the ability to grant themselves 
any Active Directory domain privilege they desire. You want to ensure that your organization's 
domain controllers are as secure as possible. Some obvious steps you can take to secure your 
organization's domain controllers include: 


Only run the Server Core installation option The Server Core installation option of 
Windows Server has a smaller attack surface than the Server with Desktop Experience 
version of Windows Server. 


Only host AD DS and DNS on domain controllers Generally, you should also avoid 
hosting workloads other than DNS on a computer configured as a domain controller as 
a further way of minimizing the attack surface. The more workloads a domain control- 
ler hosts, the more components there are for an attacker to attempt to exploit to gain 
control of that computer. 


Run the most recent version of Windows Server Domain controllers should always 
run the most recent version of Windows Server. When a new version of Windows Server 
is released, the first thing you should do is deploy domain controllers running the new 
operating system and retire domain controllers running previous versions of Windows 
Server. Newer versions of Windows Server are inherently more secure than previous ver- 
sions of Windows Server. 


Stay up to date with monthly software updates You should ensure that you keep 
domain controllers patched with the most recent software updates. You should aggres- 
sively update domain controllers. Since you should not run workloads beyond Active 
Directory and DNS on a domain controller, you are unlikely to encounter compatibility 
problems with new software updates (though you should still test on one domain con- 
troller before rolling out to all the others). 


Enable Device Guard Only authorized applications and processes should be able to 
run on an Active Directory domain controller. Application allowlisting is the process by 
which only authorized applications and processes can be run and any application or 
process that is not explicitly authorized will be unable to run. The most effective method 
of applying application allowlisting is enabling Device Guard. 


Block domain controllers from directly communicating with hosts on the 
internet You should configure perimeter network firewalls so that domain controllers 
on internal networks can’t directly communicate with hosts on the internet. Software 
updates from domain controllers should be obtained from sources on the internal net- 
work, such as a WSUS server. 


Only accept administrative connections from authorized hosts Domain control- 
lers should only accept RDP and remote PowerShell sessions from specific authorized 
hosts. These hosts should be privileged access workstations or jump servers. 

Keep domain controllers in the domain controllers OU Avoid moving domain 
controllers out of the default domain controllers OU because this can lead to unex- 
pected configurations being assigned through Group Policy. 
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m Ensure that Directory Services Restore Mode (DSRM) passwords are changed 
regularly This password allows out-of-band access to a domain controller. Passwords 
should be different for each domain controller, they should be updated every couple of 
months, and they should be stored in a secure location, such as a safe. 


Restrict scheduled tasks 

Another step in hardening domain controllers is configuring the Domain Controller: Allow 
Server Operator To Schedule Tasks policy as disabled, as shown in Figure 1-14. Doing this will 
block someone who is signed into a server using the AT command to configure scheduled jobs. 
By default, AT jobs run under the SYSTEM account, and attackers often exploit the AT command 
to elevate privileges. If you configure this policy, it will be necessary to specify account creden- 
tials when configuring a scheduled task. 


Domain controller: Allow server operators to schedule tas... ? x 


Securty Policy Setting Explain 
SN Domain controller: Allow server operators to schedule tasks 
pul d 


EZ Define this policy setting 
O Enabled 
@ Disabled 


[ok ll cni [pony 


FIGURE 1-14 Block task scheduling using AT 


KRBTGT account password 

While you should definitely change the KRBTGT account password if your domain is compro- 
mised by an attacker or when someone who has had Domain Admin privileges leaves the orga- 
nization, it is also good security hygiene to change the KRBTGT account password every six 
months. Changing the KRBTGT password involves an initial password change, waiting for rep- 
lication to occur, and then changing the password again. Many people wait 24 hours between 
the first and second changes. You must perform the password operation twice because of the 
way the password history of the KRBTGT account functions. Updating the KRBTGT password 
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twice means that replication cannot occur using an older password. If you do it only once and 
the domain has been compromised, an attacker might leverage the second stored password. 


You can reset the KRBTGT account password by performing the following steps: 


1. Open Active Directory Users and Computers. 


2. Inthe View menu, select Advanced Features. 


3. Inthe Users container of the domain, select the krbtgt user account, as shown in 


Figure 1-15. 


File Action View Help 


D Active Directory Users and Com 
> E] Saved Queries 
~ 3 contoso.intemal 
> E Buiktin 
> [9 Computers 
> BJ Domain Controllers 
> E ForeignSecurityPrincipal: 
> A Keys 
> E LostAndFound 
> (5) Managed Service Accour 
> E] Program Data 
> E System 
E Users 
> @) WAC-TEST-ou 
> (5) NTDS Quotas 
> © TPM Devices 


eea\aml¢olxaeGBli@mitearae 


T Active Directory Users and Computers - o x 


Name Type Description A 
Hi Domain Co... Security Group... All workstations and ser... 

Bi Domain Con... Security Group... All domain controllers i... 

BR Domain Gue... Security Group... All domain quests 

BX Domain Users Security Group... All domain users 


|| BR Enterprise A... Security Group... Designated administrate... 


Bè Enterprise KK... Security Group... Members of this group s 
Hi Enterprise R... Security Group... Members of this group ... 
Bi Group Polic.. Security Group. Members in this group c... 
PB Guen User Built-in account for gue... 
HR Key Admins Security Group.. Members of this group ... 


Key Distribution Center 


ER MEL-SQL-Se.. Security Group... 

Bi Protected Us... Security Group... Members of this group ... 
BR RAS and IAS... Security Group... Servers in this group can... 
Bh Read-only D... Security Group... Members of this group ... 
Ba schema Ad... Security Group... Designated administrato... 


FIGURE 1-15 krbtgt account 


4. From the Action menu, select Reset Password. You should then type and confirm a 
new password. The password you enter in this dialog box isn't important because Active 
Directory will trigger the creation of a separate strong password that is independent of 


the password you configure. 


NEED MORE REVIEW? HARDEN DOMAIN CONTROLLERS 


You can learn more about hardening domain controllers at https://docs.microsoft.com/ 


en-us/windows-server/identity/ad-ds/plan/security-best-practices/securing-domain- 


controllers-against-attack. 


Configure authentication policies silos 


Authentication policy silos allow you to define relationships between the user, computer, and 
managed service accounts. A user, computer, and managed service account can only belong 
to a single authentication policy silo. This provides a more robust security method that goes 
beyond configuring log-in restrictions and restricting which accounts can access specific serv- 
ers in your environment. 
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Accounts inan authentication policy silo are associated with a silo claim. You can use this silo 
claim to control access to claims-aware resources. For example, you can configure accounts so 
that only accounts that are associated with a specific silo claim can access particularly sensitive 
servers. This means only accounts that are associated with a Certificate Services silo claim can 
sign into a computer that has the Active Directory Certificate Services role installed. 


Authentication policies allow you to configure settings, such as the TGT lifetime and access- 
control conditions, which specify conditions that must be met before a user can sign into a 
computer. For example, you might configure an authentication policy that specifies a TGT life- 
time of 120 minutes and limit a user account so that users can only use it with specific devices, 
such as privileged-access workstations. You can only use authentication policies if you have 
configured the domain functional level at Windows Server 2012 R2 or higher. 


You configure authentication policies and authentication policy silos using Active Directory 
Administrative Center, as shown in Figure 1-16. 


Create Authentication Policy: ADCS Auth_Policy Tasks v| [SECTIONS v 


General General DHA 


Accounts 
An authentication policy defines the Kerberas Ticket Granting Ticket properties and authentication access contral conditions for an 


Silos account type. 


User Sign On Display name: a ADCS Auth Policy J Only audit policy restrictions 
Desenption ®) Enforce policy restrictions 
Note: Audit policy applied through a silo will override the pe 


Service Tickets for User Accounts 
Service Sign On 

Service Tickets for Service Accounts 
Computer [Vj Protect from accidental deletion 


Accounts Dee 


Name Account lype 


B More hiaan (Tx) 


FIGURE 1-16 Authentication policies 


NEED MORE REVIEW? AUTHENTICATION POLICIES AND SILOS 

You can learn more about authentication policies and silos at https://docs.microsoft.com/ 
en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486813 
(v=ws.11). 
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Restrict access to domain controllers 


Domain controllers and other important workload hosts are only as secure as the comput- 

ers that you use to manage them. An increasing number of security incidents have occurred 
because a privileged user's computer was infected with malware and that computer was 

then used to perform server administration tasks. Privileged Access Workstations (PAWs) are 
specially configured computers that you use to perform remote administration tasks. The idea 
of a PAW is that you have a computer with a locked-down configuration that you only use to 
perform server administration tasks. You don’t use this computer to read your email or browse 
the internet; you just use it to perform server administration tasks. 


Critical servers should be configured through firewall policies, including connection security 
rules (covered later in this chapter), to only allow traffic on the ports used by Windows Admin 
Center, Microsoft Management Consoles, Remote Desktop Protocol, and PowerShell from 
known PAWS. 


Consider configuring a PAW using the following options: 


= Configure Windows Defender Application Control (Device Guard) to allow only specifi- 
cally authorized and digitally signed software to run on the computer. 


= Configure Credential Guard to protect credentials stored on the computer. 
m Use BitLocker to encrypt the computer's storage and protect the boot environment. 


m The computer should not be used to browse the internet or to check email. Server 
administrators should have completely separate computers to perform their other 
daily job tasks. Block internet browsing on the PAW both locally and on the perimeter 
network firewall. 


m Block the PAW from accessing the internet. Software updates should be obtained from a 
dedicated secure update server on the local network. External tools should be obtained 
from another computer and transferred to the PAW. 

m Server administrators should not sign into the PAW using an account that has adminis- 
trative privileges on the PAW. 

m Only specific user accounts used by server administrators should be able to sign into the 
PAW. Consider additional restrictions such as sign-in hours. Block privileged accounts 
from signing into computers that are not PAWs or servers to be managed, such as the IT 
staff's everyday work computers. 

= Configure servers to only accept administrator connections from PAWs. This can be 
done through Windows Defender Firewall with Advanced Security. 

m Use configuration management tools to monitor the configuration of the PAW. Some 
organizations rebuild PAWs entirely every 24 hours to ensure that configurations are not 
altered. Use these tools to restrict local group membership and ensure that the PAW has 
all appropriate recent software updates applied. 


m Ensure that audit logs from PAWs are forwarded to a separate secure location. 
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Disable the use of unauthorized storage devices. For example, you can configure poli- 
cies so that only USB storage devices that have a specific BitLocker organizational ID can 
be used with the computer. 


Block unsolicited inbound network traffic to the PAW using Windows Defender Firewall. 


NEED MORE REVIEW? SECURING PRIVILEGED ACCESS 


You can learn more about securing privileged access at https://docs.microsoft.com/en-us/ 


security/compass/overview. 


Configure account security 


There are additional security options that you should consider when configuring highly privi- 
leged accounts. These include configuring the following settings: 


Logon Hours Use this setting to configure when users can use an account. AD DS 
does not authenticate someone attempting to sign in outside of these hours. By default, 
accounts are configured so that users can sign in at all times. Consider configuring 
privileged accounts so that users can use them only at specific times. This stops a user 
from signing in after hours, either specifically or with a compromised account, to get 

up to no good when they assume that no one is watching. Organizations that do need 
to use privileged accounts to perform after-hours maintenance tasks can create special 
accounts for those tasks, or they can temporarily modify an existing account. 


Logon Workstations Use this setting to limit the computers to which a particular 
account can sign in. By default, users can use an account to sign into any computer in 
the domain. Use this setting to ensure that users can use privileged accounts only on 
specific, specially configured administrative workstations or certain servers. Limiting 
which computers users can use reduces the locations where accounts can be used. 


Password Never Expires You should use this setting reluctantly when configuring 
privileged accounts because it absolves the account from the domain password policy. 
You can use products such as Microsoft Identity Manager to assist with password man- 
agement for privileged accounts. 


Smart Card Is Required For Interactive Logon Use this setting to ensure that a 
smart card must be present for the account sign-in to occur. In high-security environ- 
ments, you should deploy smart cards and enable this option to ensure that only an 
authorized person who has both the smart card and the account credentials can use the 
privileged account. 


Account Is Sensitive And Cannot Be Delegated Use this setting to ensure that 
trusted applications cannot forward the account credentials to other services or com- 
puters on the network. Enable this setting for highly privileged accounts. 
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= This Account Supports Kerberos AES 256 Bit Encryption Use this setting to allow 
Kerberos AES 256-bit encryption. Where possible, you should configure this option for 
privileged accounts and have them use this form of Kerberos encryption over the AES 
128-bit encryption option. 


= Account Expires Use this setting to configure an expiration date for an account. Con- 
figuring privileged accounts with expiration dates ensures that privileged accounts do 
not remain available to use beyond when they are required. 


When you join a computer to a domain for the first time, it creates a computer account in 
the Computers container. If you want to create an account in a specific container, you'll need 
to pre-stage the computer account and place it in the appropriate OU. A pre-staged computer 
account must have a name that matches that of the computer that is joining the domain. 


Computer accounts can be made members of the domain security group. This group mem- 
bership influences how the Local System and Network Service accounts on the computer func- 
tion. This is because, by default, these services use the computer's credentials when interacting 
with resources on the network. This gives the computer account the rights and privileges 
assigned to any security group to which the computer is a member. 


Computer accounts have automatically assigned passwords that are updated every 30 days. 
If a computer doesn’t connect to a domain within 30 days, a new password is assigned the next 
time a connection is established. If you disable a computer account, the computer cannot con- 
nect to the domain and domain users are unable to sign into the computer until the account is 
re-enabled. 

Resetting a computer account removes the relationship between the computer and the 
domain. To fix this, you'll need to either join the computer back to the domain or reestablish 
the broken trust relationship using the following PowerShell command, specifying the creden- 
tials of a member of the Domain Administrator group: 


Test-ComputerSecureChannel -credential <domain>\<admin> -Repair 


If you delete a computer account, it’s necessary to rejoin the computer to the domain 
manually. When you delete a computer account, all information associated with the account is 
removed from Active Directory. You should only delete computer accounts after a computer 
has been decommissioned. 


NEED MORE REVIEW? AD DS SECURITY BEST PRACTICES 


You can learn more about AD DS security best practices at https://docs.microsoft.com/ 
en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for- 
securing-active-directory. 
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Manage AD built-in administrative groups 


AD DS includes specific accounts and groups that have already been delegated specific privi- 
leges that allow them to perform special actions on users, groups, and even modify the very 
properties of AD DS itself. Securing AD DS requires securing these accounts and groups. 


Enterprise Admins 


The Enterprise Admins group is hosted in the forest root domain. The Enterprise Admins group 
is amember of the built-in Administrators group for each domain in an AD DS forest. When a 
forest is created, the built-in Administrator account for the forest root domain will be a mem- 
ber of the Enterprise Admins group. This universal group is stored in the Users container of the 
forest root domain. Members of this group are granted rights and permissions that function 
across the forest, such as the ability to add or remove domains from the forest, configure for- 
est trusts, and raise forest functional levels. Membership of this group is only necessary when 
performing forest-wide changes. Because forest-wide changes are extremely rare, logon activ- 
ity by members of this group should also be extremely rare. Such activity should be closely 
monitored, and any changes to the membership of this group are almost always evidence of 
AD DS being compromised. 


Domain Admins 


Each domain in a forest has a separate Domain Admins group. The Domain Admins group for a 
domain is a member of that domain's built-in Administrators group and a member of the local 
Administrators group on all domain-joined computers. Domain Admins are able to perform 
almost every task within their domain. Similar to Enterprise Admins, in a properly designed 
environment, sign-on with accounts that are members of the Domain Admins group should 

be rare. Common Domain Admin tasks, such as account management, can be delegated to 
specific security groups. 


In reality, many organizations load up the Domain Admins group with far too many users 
who don't need those privileges. If you look at your organization's Domain Admins group and 
see user accounts belonging to members of the help desk or, even worse, service accounts, it’s 
time to do a serious assessment of the group's membership. 


Administrators 


The Administrators group is a domain local group stored in the Built-in container. Domain 
Admins and Enterprise Admins are members of this group, as shown in Figure 1-17. This group 
functions in a manner similar to a local Administrators group for Domain Controllers (which do 
not have such a group). Members of this group have full control permissions on almost all AD 
DS objects and are able to take control of those objects. Members of the Enterprise Admins 
and Domain Admins groups often inherit the permissions they use through membership of the 
built-in Administrators group. Members of this group are not granted permissions on member 
servers or computers. 
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General Members MemberOf Managed By 


Members: 


Name Active Directory Domain Services Folder 


| Administrator 
| 2 Domain Admins _ tailwindtraders.intemal/Users 
| $2, Enterprise Admi... tailwindtraders intemal/Users 
|B Prime Admin _tailwindtraders.intemal/Users 


taiwindtraders.intemal/Users 
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FIGURE 1-17 Built-in Administrators group 


Schema Admins 


Apply 


Schema Admins is a universal group stored in the Users container of the forest root domain. 
Schema Admins are able to modify the AD DS schema but have few rights and permissions to 
any other objects within Active Directory. The default member of the Schema Admins group is 
the root domain’s built-in Administrator account. 


Other built-in groups 


There are many other important security groups built into AD DS. Prior to delegating rights 
and permissions, which you will learn about later in this chapter, investigate whether one of the 
existing security groups might meet your needs. Table 1-2 lists all of the Windows Server built- 


in default groups. 


TABLE 1-2 AD DS security groups 


Group Function 


Access Control Assistance 


Account Operators 


Members can query authorization attributes and permissions for 
Operators resources on the computer. 


Members can manage domain user and group accounts. 


Administrators Built-in administrators group. On a DC this provides unlimited access to 
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Group 


Allowed RODC Password Replica- 
tion Group 


Backup Operators 

Cert Publishers 

Certificate Services DCOM Access 
Cloneable Domain Controllers 
Cryptographic Operators 


Denied RODC Password Replication 
Group 


Distributed COM Users 
DNSAdmins 


DNSUpdateProxy 


Domain Admins 


Domain Computers 
Domain Controllers 
Domain Guests 
Domain Users 


Enterprise Admins 


Enterprise Key Admins 


Enterprise Read-only Domain 
Controllers 


Event Log Readers 

Group Policy Creator Owners 
Hyper-V Administrators 
IIS_IUSRS 


Incoming Forest Trust Builders 


Function 


Members can have their passwords replicated to read-only domain 
controllers (RODCs). 


Members can override security restrictions to back up or restore files. 
Members can publish certificates to AD DS. 

Members can connect to certificate authorities. 

Domain controllers that can be cloned. 

Can perform cryptographic operations. 


Members cannot have their passwords replicated to RODCs. 


Can launch, activate, and use distributed COM objects. 
DNS administrators group. 


Group for DNS clients who are able to perform dynamic updates on 
behalf of services, such as DHCP servers. 


Members can administer the domain. Automatically members of the 
local Administrators group on every computer in the domain. Default 
owner of all objects created in Active Directory. 


All computers that are members of the domain. 
All domain controllers in the domain. 

Hosts the built-in domain guest account. 

Hosts all user accounts in the domain. 


Only present in the root domain of a forest. Can make forest-wide 
changes, such as raising forest functional level or adding domains. 


Members can perform administrative tasks on key objects at the forest 
level. 


Group for enterprise RODCs. 


Can view the contents of event logs on the computer. 
Members can create and modify GPOs. 

Can manage Hyper-V on the local machine. 

Internet Information Services built-in group. 


Members can create incoming, one-way trusts to the forest. 


[ER1 Secure Windows Server on-premises and hybrid infrastructure 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


Group 


Key Admins 


Network Configuration Operators 


Performance Log Users 


Performance Monitor Users 


Pre-Windows 2000 Compatible 
Access 


Print Operators 


Protected Users 


RAS and IAS Servers 


RDS Endpoint Servers 


RDS Management Servers 


RDS Remote Access Servers 


Read-only Domain Controllers 
Remote Desktop Users 
Remote Management Users 
Replicator 


Schema Admins 


Server Operators 
Storage Replica Administrators 


Terminal Server License Servers 


Users 


Windows Authorization Access 
Group 


Function 


Members can perform administrative tasks on key objects at the domain 
level. 


Members can configure networking features. 


Members can schedule logging of performance counters and collect 
event traces. 


Members can access performance counter data locally and remotely. 


A group that exists for backward compatibility. 


Members can manage printers deployed on domain controllers. 


Members of this group have stricter security controls applied to their 
accounts. 


Members in this group are able to access the remote access settings of 
user accounts. 


Servers in this group host VMs used with RemoteApp programs and 
personal virtual desktops. 


Servers in this group can perform administrative actions on other serv- 
ers running the Remote Desktop Services role. 


Servers in this group enable users of RemoteApp programs and per- 
sonal virtual desktop to access resources. 


Read-only domain controllers in the domain. 

Granted the right to sign on using Remote Desktop. 

Members can access WMI resources over management protocols. 
Group supporting file replication at the domain level. 


Root domain group. Members are authorized to make changes to Active 
Directory Schema. 


Members can administer domain member servers. 
Members can manage storage replica. 


Members can update Active Directory information about terminal ser- 
vices licensing. 


Built-in Users group. 


Have access to computed tokenGroupG1lobalAndUniversal attribute 
on User objects. 
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NEED MORE REVIEW? PRIVILEGED AD DS ACCOUNTS AND GROUPS 


You can learn more about privileged accounts and groups in AD DS at https://docs.microsoft.com/ 
en-us/windows/security/identity-protection/access-control/active-directory-security-groups. 


Manage AD delegation 


Least privilege is the practice of assigning only the minimum required privileges to an 
account for the account to perform its assigned tasks. Put another way, accounts should not 
be assigned rights and privileges in excess of those required to perform the specific tasks for 
which the account is used. 


The benefit of using least privilege is that in the event that an attacker manages to compro- 
mise an account, that attacker is limited to acting with the privileges assigned to that account. 
Least privilege also reduces the chance that damage might inadvertently be done to a system. 
For example, an account used for backup and recovery can't be used to add or remove soft- 
ware from the server if that account doesn’t have permission to do anything beyond backup 
and recovery. 


When it comes to assigning privileges, a very bad habit of many IT professionals is to simply 
add an account to the local Administrators group on the computer where the privilege is 
required. This is especially true with service accounts where proper procedure is to edit the 
local security Group Policies and assign very specific rights; however, many administrators 
take a quick shortcut and assign all necessary rights by adding the service account to the local 
Administrators group. This is one of the reasons that attackers go after service accounts, which 
often use a single, unchanging, and organization-wide password and that also are members of 
the local Administrator groups on which they are installed. 


Role-based access control (RBAC) operationalizes the least-privilege principle. Instead of 
having all-powerful administrator accounts that can perform any task on any system, you 
parcel out administrative privileges that limit what an account can do and where an account 
can do it. 


For example, rather than giving help desk support staff the ability to reset the passwords 
of any user in the domain, you delegate them the right to only be able to reset the passwords 
of user accounts in a specific organizational unit. This way, you allow the support staff to reset 
the passwords of a specific class of user account; for example, you could grant support staff the 
authority to reset passwords that are used by people in one department without giving them 
the ability to reset the passwords of domain administrator accounts. 


You delegate privileges for organizational units in Active Directory using the Delegation Of 
Control Wizard, as shown in Figure 1-18. 
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Delegation of Control Wizard x 
Tasks to Delegate Z 
You can select common tasks ot customize yout own. | 


@ Delegate the following common tasks: 
C Create. delete. and manage user accounts A 
EA Reset user passwords and force password change at next logon 
D Read all user information 
D Create, delete and manage groups 
D Modiy the membership of a group 
D Manage Group Policy inks 
CO Generate Resultant Set of Pobey (Planning) y, 
< 


O Create a custom task to delegate 


<Back [New] | Cancel Heb 


FIGURE 1-18 Delegating the reset password right 


Implement and manage Microsoft Defender for Identity 


Microsoft Defender for Identity (formerly named Azure Advanced Threat Protection) allows 
you to monitor on-premises AD DS for suspicious and unusual security-related telemetry that 
might indicate your on-premises identity infrastructure has been compromised. 


Microsoft Defender for Identity allows you to: 


m Monitor users, groups, and other security principals using learning-based analytics. The 
properties of and behavior of each security principal are tracked. Any significant devia- 
tions to those properties or behaviors are flagged for review. 


m Protect security principals and credentials stored in AD DS. Microsoft Defender for 
Identity provides information on identity configuration and makes best practices 
recommendations. This allows you to reduce and remediate vulnerabilities in AD DS 
configuration. 


m Identify suspicious security principal activity and evidence of advanced attacks. 
Microsoft Defender for Identity scans for evidence of behavior discovered by Microsoft 
security researchers when investigating attacks against other AD DS and hybrid identity 
infrastructures. By looking for known patterns of compromise, Defender for Identity can 
flag and assist administrators with diagnosing and responding to compromises. 


m Identify brute-force attempts to compromise credentials, unusual volumes of failed 
authentications, and suspicious group membership changes. 


m Identify pass-the-ticket, pass-the-hash, and overpass-the-hash techniques used by 
attackers to perform lateral movement across hosts in an AD DS forest. 


m Identify and report evidence of domain dominance through remote code execution on 
AD DS domain controllers, DC shadow, malicious domain controller replication, Golden 
Ticket activities, and other known domain dominance techniques. 
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NEED MORE REVIEW? MICROSOFT DEFENDER FOR IDENTITY 


You can learn more about Microsoft Defender for Identity at https://docs.microsoft.com/ 


en-us/defender-for-identity/what-is. 


Defender for Identity Architecture 

Defender for Identity sensors are installed directly on each AD DS domain controller. These 
sensors access event logs directly and, after analyzing that telemetry, forward the analyzed 
information to the Defender for Identity cloud service. 


Defender for Identity includes the following elements: 


Microsoft 365 Defender portal You manage Microsoft Defender for Identity 
through a portal in the cloud rather than using on-premises consoles or portals. This 
portal displays data received from Defender for Identity sensors and allows you to 
monitor and interrogate telemetry for threats in your hybrid identity infrastructure. 


Defender for Identity sensor You need to install Defender for Identity sensors on 
AD DS domain controllers. Because any AD DS domain controller can process authenti- 
cation traffic, you will need to deploy Defender for Identity sensors on all AD DS domain 
controllers in a monitored forest to be able to view all possible security telemetry. This 
sensor can also ingest RADIUS accounting data from an appropriately configured VPN 
provider. One sensor functions as the domain synchronizer and replicates data on 
behalf of all AD DS domain controller sensors for a domain. 


Defender for Identity cloud service This cloud service performs all the back- 

end storage and analysis of telemetry ingested by the Defender for Identity sensors 
deployed on AD DS domain controllers. At present this service runs on Azure infrastruc- 
ture in the United States, Europe, and Asia. 


NEED MORE REVIEW? MICROSOFT DEFENDER FOR IDENTITY ARCHITECTURE 


You can learn more about Microsoft Defender for Identity Architecture at https:// 


docs.microsoft.com/en-us/defender-for-identity/architecture. 


Deploy Defender for Identity 


You need to create a special AD DS account to be used by Defender for Identity so that it can 


perform the following functions: 
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Connect to AD DS using LDAP using its account credentials. 


Query the domain controller for information on entities discovered in network traffic, 
monitored events, and monitored Event Tracing for Windows (ETW) activities. 


Communicate with other sensors and function in the “domain synchronizer” role to 
replicate data to Defender for Identity Service. 
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m Query the local administrator group membership of devices present in network traffic, 
events, and ETW activities. This information assists in tracking lateral movement by 
attackers. 


m The AD DS account requires read permission on all AD DS objects, including the Deleted 
Objects container. 


Microsoft recommends that you use a gMSA when configuring the special AD DS account 
used by Defender for Identity. You can configure separate accounts if they have the appropri- 
ate permissions for each sensor, but the recommended configuration is to use a single gMSA. 
You should add this gMSA to the built-in Domain Controllers security group. The gMSA must 
be installed on each AD DS domain controller before it can be used with the Defender for 
Identity server. 


You download the Defender for Identity sensor from the Defender for Identity portal. 
When you download the software, you will be provided with an access key for the Defender for 
Identity Service. You can use the same key when installing the sensor software on each AD DS 
domain controller. The software download is a zip file that includes the Defender for Identity 
installer (Azure ATP sensor Setup.exe) and the configuration setting file that is used to con- 
nect to the Defender for Identity cloud service. Regenerating the access key only impacts new 
installations and will not impact any previously deployed sensor registrations. 


NEED MORE REVIEW? DEPLOY DEFENDER FOR IDENTITY 


You can learn more about deploying Defender for Identity at https://docs.microsoft.com/ 
en-us/defender-for-identity/directory-service-accounts. 


Implement and manage Azure AD self-service 
password reset 


Something that is challenging to deploy in an on-premises environment but that is relatively 
straightforward to deploy in an environment that uses Azure AD as a source of identity author- 
ity is self-service password reset. A self-service password reset allows users to reset their own 
password when they forget that password rather than having to contact the service desk and 
have a member of the IT staff perform the task for them. 

Self-service password reset with writeback of the reset password to on-premises AD DS 
requires an Azure AD Premium license for each user who will use this feature. You also need to 
enable password writeback when configuring Azure AD Connect. The account configured for 
Azure AD connect must have the following permissions: 

m Reset password 
m Write permissions on lockoutTime 


m Write permissions on pwdLastSet 
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m Extended rights for Unexpire Password on the root object of each domain in the syn- 
chronized forest 


To enable self-service password reset, perform the following steps: 


1. Open the Azure Active Directory portal at https://aad.portal.azure.com with an account 
that has tenant administrator permissions. 


2. Inthe Azure Active Directory Admin Center, select the Users node. This will open the 
Users blade, as shown in Figure 1-19. 


Azure Active Directory admin center 


« d c Users > All users 

C oashboard Users - All users 

sulaman “denawa Pen guest user A eee more 

# tuwane Š Allusers É 

© Azure Active Directory Deleted users ay ame or em KE 

Ò Uses T Password reset NAME USER NAME USER TYPE SOURCE 

H enterprise appiications User settings Q Adele Vance ‘AdeleV@eplstemicuse... Member Azure Active Directory 
Any © Alex Wilber  AlxWOM3651381003.. Member Azure Active Directory 
2 signing o Alan Deyoung AltanD@M265x301063.... Member Azure Active Directory 
Audit logs |] Cluistie Cine Chattie @MI6538106_ Member Ane Active Duectory 
Troudieshooting e Support (=) Debra Berger  DebeaB@M365x381063_ Member Azure Active Directory 
X Troubleshoot eo Diego Sicilian’ DlegoS@M365x361063... Member Azure Active Directory 
Š New support request 

0o Emily Braun EmilyB@epistericutcom Member Azure Active Directory 


FIGURE 1-19 Azure Active Directory Admin Center open to the Users blade 


In the Users blade of the Azure Active Directory Admin Center, select Password Reset. 


4. On the Password Reset — Properties page, select All, as shown in Figure 1-20, to enable 
the self-service password reset for all Azure AD users. 


Azure Active Directory admin center 


« Dashboard > Users > Password reset - Properties 
E Dashboard Password reset - Properties 
Co 6 - Azure Active Owectery 
+= all services 
= F sae X Discard 
= FAVORITES Manage 
$ et enabled @ 
® azure active Directory 1! properties es 
a 
aa Users © Authentication methods 


FIGURE 1-20 Enabling self-service password reset 


Once self-service password reset is enabled, users will be prompted for additional informa- 
tion the next time that they sign in, which will be used to verify their identity if they use the 
self-service password reset tool. Users can reset their passwords by navigating to the website 
https://passwordreset.microsoftonline.com, shown in Figure 1-21, and completing the form. 
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LEGEA passwordreset.microsoftonline.com 


Microsoft 


Get back into your account 


Who are you? 


To recover your account, begin by entering your user ID and the characters in the picture or audio below 


Enter the characters in the picture or the words in the audio. 


FIGURE 1-21 Resetting a password 


NEED MORE REVIEW? SELF-SERVICE PASSWORD RESET 


You can learn more about self-service password reset at https://docs.microsoft.com/en-us/ 
microsoft-365/admin/add-users/let-users-reset-passwords. 


KJ) examTip 
“Remember that to detect all security risks across your organization's AD DS infrastructure, 
Defender for Identity sensors must be deployed on all domain controllers. 


Skill 1.3: Identify and remediate Windows Server 
security issues by using Azure services 


Azure includes several services that allow you to leverage the telemetry storage capacity and 
artificial intelligence capabilities of the cloud to determine if attackers have or are in the pro- 
cess of attempting to compromise Windows Server on-premises and laaS VM instances. In this 
section, you'll learn about a variety of features and services that you can use to monitor and 
secure your Windows Server hybrid workloads. 
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This section covers how to: 


= Monitor on-premises servers and Azure laaS virtual machines (VMs) by using 
Microsoft Sentinel 


m Identify and remediate security issues in on-premises servers and Azure laaS VMs 
by using Microsoft Defender for Cloud (Azure Security Center) 


m Manage security updates using Windows Server Update Services 
m Manage security updates using Azure Automation Update Management 


m Onboard Windows Server using Azure Automanage 


Monitor on-premises servers and Azure laaS virtual 
machines (VMs) by using Microsoft Sentinel 
Microsoft Sentinel (formerly Azure Sentinel) is a security information and event management 
(SIEM) and security orchestration, automation, and response (SOAR) solution. By connecting 
on-premises and Azure laaS Windows Server instances to Sentinel, you can ingest relevant 
security telemetry and analyze that data for indications of attack or compromise. Analysis tools 
include existing diagnostic routines developed by Microsoft security researchers. The SOAR 
component allows you to automate responses to known incident types. Sentinel allows you to: 
= Collect data at scale across all users, devices, applications, infrastructure in hybrid 
environments. 
m Detect unusual threats and minimize false positive results by leveraging Microsoft secu- 
rity research’s analytics and threat intelligence. 


m Use artificial intelligence to detect and investigate threats. 


m Use prebuilt orchestration and automation to respond to common tasks. 


NEED MORE REVIEW? SENTINEL OVERVIEW 


You can learn more about Sentinel at https://docs.microsoft.com/en-us/azure/sentinel/overview. 


Sentinel analyzes telemetry stored in a Log Analytics workspace. To use Sentinel to moni- 
tor the security configuration of Windows Server on-premises and laaS instances, you need to 
ensure that those computers are properly connected to a Log Analytics workspace and then 
ensure that the Log Analytics workspace is accessible to Microsoft Sentinel. 


The Microsoft Monitoring Agent (also the Azure Monitor agent and Log Analytics agent) 
allows you to collect telemetry from on-premises servers in hybrid environments and to ingest 
that data into Sentinel. You can use the following tools to install the Microsoft Monitoring 
Agent: 

m VM extension Windows Server laaS VMs can use the Log Analytics agent virtual 
machine extension. 


Secure Windows Server on-premises and hybrid infrastructure 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


Manual installation In this scenario you download the agent software and run the 
installer, providing the Log Analytics workspace ID and the Log Analytics workspace key 
during the installation process. 

Azure Automation State Configuration You can configure state configuration to 
ensure that the agent is installed and configured to communicate with the appropriate 
Log Analytics workspace. 

Scripting and Automation You can use PowerShell, Puppet, Chef, or any other con- 
figuration automation tool to automate the installation, deployment, and configuration 
of the agent. 

Azure Policy You can use Azure Policy for laaS VMs and Arc-enabled servers to deter- 
mine if the agent is present and then have a remediation task automate the installation 
and configuration of the agent. 


NEED MORE REVIEW? INSTALLING THE AGENT 


You can learn more about installing the agent used by Sentinel at https://docs.microsoft.com/ 


en-us/azure/azure-monitor/agents/log-analytics-agent. 


Identify and remediate security issues in on-premises 
servers and Azure laaS VMs by using Microsoft Defender 
for Cloud (Azure Security Center) 


Microsoft Defender for Cloud (formerly Azure Security Center) is a suite of products that allow 
you to protect your on-premises and cloud workloads. From the perspective of the Windows 
Server Hybrid Administrator, the most useful element of Defender for Cloud for protecting 
Windows Server Hybrid workloads is Microsoft Defender for Servers. Defender for Servers is an 
umbrella product that includes the following tools: 


Azure security baselines 

Threat and vulnerability management 
Just-in-time virtual machine access 
File integrity monitoring 

Adaptive application controls 


Adaptive network hardening 


NEED MORE REVIEW? MICROSOFT DEFENDER FOR SERVERS 


You can learn more about Microsoft Defender for Servers at https://docs.microsoft.com/en-us/ 


azure/defender-for-cloud/defender-for-servers-introduction. 
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Azure security baselines 


Azure security baselines allow you to assess the configuration of a managed Azure laaS Win- 
dows Server instance against a best practices security baseline. Assessing the Windows Server 
instance requires the Guest Configuration extension and that the laaS VM have a system- 
assigned managed identity. 


Once the laaS VM is assessed, you will be provided with a set of recommendations that 
describe what the identified security issue is, what the potential impact of that security issue is, 
how the vulnerability might be exploited, and steps you can take to remediate that vulnerabil- 
ity. In some cases, the vulnerability may be able to be resolved from the Azure portal. 


NEED MORE REVIEW? AZURE SECURITY BASELINES 


You can learn more about Azure security baselines at https://docs.microsoft.com/en-us/azure/ 
defender-for-cloud/apply-security-baseline. 


Threat and vulnerability management 


Threat and vulnerability management is a module for Microsoft Defender for Endpoint that 
allows you to discover and prioritize vulnerabilities and misconfigurations. You can use the 
threat and vulnerability management module for Microsoft Defender for Endpoint for both 
Windows Server laaS VMs and Azure Arc—enabled on-premises machines. 


Vulnerability management includes assessments beyond those detected by assessing a 
server against an Azure security baseline. For example, the vulnerability assessment may deter- 
mine where software needs to be updated or the configuration modified and links to appropri- 
ate CVE documentation. As with Azure security baseline assessment, you will be provided with 
a set of remediation steps for each detected vulnerability. 


NEED MORE REVIEW? THREAT AND VULNERABILITY MANAGEMENT 


You can learn more about threat and vulnerability management at https://docs.microsoft.com/ 
en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-tvm. 


Just-in-time virtual machine access 

Rather than have management ports, such as the port used for Remote Desktop Protocol, TCP 
port 3389, open to hosts on the internet all the time, just-in-time (JIT) VM access allows you to 
open a specific management port for a limited duration of time and only open that port to a 
small range of IP addresses. You only need to use JIT if you require management port access to 
an Azure laaS VM from a host on the internet. 
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NEED MORE REVIEW? JIT VM ACCESS 


You can learn more about JIT VM Access at https://docs.microsoft.com/en-us/azure/ 
defender-for-cloud/just-in-time-access-overview. 


File integrity monitoring 

File integrity monitoring allows you to monitor critical files, including operating system files, 
the Windows Registry, and application software for modifications that might indicate that the 
software has become compromised. File integrity monitoring can report on: 


m File and registry key creation or deletion 
m Registry modifications, including changes in permissions, types, and content 


= Modifications to critical files, including changes in size, permissions, and content 
changes that invalidate a calculated file hash 


File integrity monitoring will recommend monitoring for files that are likely to be altered 
during an attack, including autoexec.bat, boot.ini, config.sys, system.ini, win.ini, regedit.exe, 
userinit.exe, explorer.exe, and msseces.exe. File integrity monitoring will also recommend that 
Registry keys and entries commonly modified by attackers be watched. You can add files and 
Registry areas to the default monitoring rules to expand your surveillance of system integrity. 


NEED MORE REVIEW? FILE INTEGRITY MONITORING 


You can learn more about file integrity monitoring at https://docs.microsoft.com/en-us/azure/ 
defender-for-cloud/file-integrity-monitoring-overview. 


Adaptive application controls 


The vast majority of servers run a consistent set of processes. Because this list of processes is so 
consistent, any deviation from this list of commonly run software can be evidence that some 
sort of compromise or breach has occurred. Adaptive application controls use machine learn- 
ing to determine which applications and processes regularly run on a Windows Server instance 
and create a behavior-based allow list to allow those applications to run while blocking any 
that don’t normally run. Adaptive application controls are more sophisticated than Windows 
Defender Application Control in that WDAC requires you to manually define which applica- 
tions can run whereas adaptive application controls will generate that list based on observing a 
healthy system. 


You can modify a generated allow list to add or remove programs as necessary. Allow lists 
can be applied on a per-system basis or to a collection of systems. Adaptive application con- 
trols are available for Windows Server laaS VMs as well as Azure Arc—enabled servers. 
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NEED MORE REVIEW? ADAPTIVE APPLICATION CONTROLS 


You can learn more about adaptive application controls at https://docs.microsoft.com/en-us/ 
azure/defender-for-cloud/adaptive-application-controls. 


Adaptive network hardening 


Adaptive network hardening monitors traffic flowing through existing network security groups 
and makes recommendations on how the rules in those groups could be further tightened to 
improve security. Adaptive network hardening uses machine learning to analyze actual traffic 
patterns, known trusted configurations, threat intelligence, and other indicators of intrusion 

to provide recommendations on limiting traffic to specific IP addresses and ports. Rather than 
open a port to the public internet for all IP address ranges, the adaptive network hardening 
process might determine that traffic on that port only occurs from a specific public set of IP 
addresses. A recommended network security group rule would restrict traffic only to that set of 
IP addresses rather than allowing traffic from a broader range of hosts. 


NEED MORE REVIEW? ADAPTIVE NETWORK HARDENING 


You can learn more about adaptive network hardening at https://docs.microsoft.com/en-us/ 
azure/defender-for-cloud/adaptive-network-hardening. 


Manage security updates using Windows Server Update 
Services 


You can install Windows Server Update Services (WSUS) as a role on Windows Server in both 
the Server Core and GUI configurations. Although WSUS does include Windows PowerShell 
support, not all WSUS functionality has been replicated in Windows PowerShell, and you'll 
likely need to manage a WSUS server deployed on Server Core using the RSAT tools. 


When you install WSUS, you can choose between using an local Windows Internal Database 
(WID) or an SQL Server instance. The advantage of using an SQL Server instance is that it’s 
easier to back up and you can run more complex reports. The majority of WSUS deployments 
use the built-in WID database. When you install WSUS on Windows Server, all prerequisite 
components are also installed. 


Products, security classifications, and languages 
During setup, you are asked to choose which update you want to download based on product 
name, security classification, and languages. Although you can choose to download updates 
for all product categories for all classifications in all languages, you'll minimize the amount of 
configuration required later if you download updates only for products used on your organiza- 
tional network. 

When WSUS synchronizes, it may update the list of available product names to reflect newly 
released software. If your organization deploys a new product, if it retires an old product, or if 
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you simply want to alter which updates are synchronized, you can modify which products are 
updated using the Products And Classifications dialog box, available through Options in the 
Update Services console and shown in Figure 1-22. 


Products and Classifications x 


Products| Classifications 


<$] You can specify the products for which you want to synchronize 
MF updates. 


Products: 
DAN Products A 
O Microsoft 
(Active Directory 
D Active Directory Rights Management Services Client 2.0 
DiAntigen 
Dl Antigen for Exchange/SMTP 
CJASP.NET Web and Data Frameworks 
(ASP.NET Web Frameworks 
OBing 
Ding Bar 
O Sesrch Enhancement Pack 
C Windows Live 
OM BizTalk Server 


IRs Tall Sarar 2007 a 
< > 


All products, including products that are added in the future. 


Ca] ea 


FIGURE 1-22 WSUS Products 


Autonomous and replica modes 


A single WSUS server can support approximately 25,000 clients. Large organizations often 
have multiple WSUS servers because it's better to have a local WSUS server at each large site 
than to have clients pull updates and approvals across wide area network (WAN) links. Instead 
of administrators performing the same approvals on each WSUS server in the organization, 
you can configure a WSUS server as a replica of another server. When you configure a WSUS 
server as a replica, the downstream server copies all update approvals, settings, computers, 
and groups from its parent. You can configure the Update Source settings, as well as specify 
information that enables WSUS to use a proxy server, through the Update Source And Proxy 
Server item in Options, in the Update Services console. 


Update files 
One of the benefits of deploying WSUS is that clients on the local network download their 
updates from the WSUS server rather than downloading updates from the Microsoft Update 
servers on the internet. You can configure update storage location settings using the Update 
Files And Languages item in the Options area of the Update Services console. You can config- 
ure the following options: 

= Store Update Files Locally On This Server When you select this option, you can 

choose whether to download files only after they have been approved; download 
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express installation files, which install quicker on clients; or download files from Microsoft 
Update. With the last option, you can configure a server as a replica server but have update 
files downloaded from Microsoft Update rather than the upstream replica server. 


= Don’t Store Update Files Locally; Computers Install From Microsoft Update 
When you configure this option, clients use WSUS for update approvals but retrieve 
the updates from the Microsoft Update servers on the internet. This option is most 
appropriate when you are providing update approvals to clients located outside of the 
organizational network. 


WSUS security roles 


In large organizations, you are more likely to separate the roles of server administrator and 
update administrator. When you install WSUS, two local security groups are created. By adding 
users to these groups, you grant users the permission to perform the tasks assigned with these 
roles. The roles are as follows: 


= WSUS Administrators Users who are added to the local WSUS Administrators group 
can perform any WSUS administration task. These tasks include approving updates, 
managing computer groups, configuring automatic approval rules, and modifying the 
WSUS server's update source. 


m WSUS Reporters Users who are members of this role can run reports on the WSUS 
server. These reports detail the update compliance status on the basis of update and 
computer. For example, a user who is a member of this group can run a WSUS report 
and determine which computers are missing a specific critical update. 


WSUS groups 


You can use WSUS groups to organize computers for the purpose of deploying updates. For 
example, you might have a WSUS group for servers in Sydney and another WSUS group for 
servers in Melbourne. A computer can be a member of multiple WSUS groups, and WSUS 
groups can exist in parent-child relationships. For example, the Australia WSUS group might 
have both the Melbourne and Sydney WSUS groups as members. Updates approved for the 
Australia group are automatically approved for members of the Melbourne and Sydney groups 
unless overridden. 


You can assign computers to WSUS groups manually or through Group Policy. Computers 
can be assigned to WSUS groups through Group Policy only if the computer groups already 
exist on the WSUS server. To assign a computer manually, the computer must have already 
reported to the WSUS server. Computers that have reported to the WSUS server but have not 
been assigned to a group are members of the Unassigned Computers group. 

An administrator must create WSUS groups. To create a WSUS group, perform the following 
steps: 

1. Open the Update Services console. 


2. Select the group you want to have as the parent group. The Computers/All Computers 
group is the parent group for all groups. 
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3. From the Action menu, select Add Computer Group. 


4. Specify the computer group name and select Add. 


WSUS policies 


You can configure most WSUS client options through Group Policy. Many of these policies 

are related to the experience that users of client operating systems have when updates are 
installed and are not directly applicable to updating server operating systems. Windows 
Update policies are located in the Computer Configuration\Policies\Administrative Templates\ 
Windows Components\Windows Update node of a standard GPO. 


The most important policies from the perspective of the server administrator are as follows: 


= Configure Automatic Updates You can enable automatic updating, specify a day for 
update installations, and specify a time for update installation to occur. It's usually not a 
good idea to have this one policy to apply to all servers in your organization. Having all 
servers install and reboot at the same time can cause substantial disruptions. 


= Specify Intranet Microsoft Update Service Location You can specify the location 
of the WSUS server and the statistics server. (The statistics server receives information 
on successful update installation and is usually the same as the WSUS server.) 


= Automatic Update Detection Frequency Determines how often the computer 
checks for updates. 
= Enable Client-Side Targeting Use this policy to specify which WSUS groups comput- 


ers should be a member of. If the names do not match, those computers end up in the 
Unassigned Computers group. 


Deploying updates 
When you deploy updates, you decide whether to deploy the update, to which computer 
groups you deploy the update, and what deadline should apply to the deployment. You can 
deploy an update multiple times to different groups, so you can deploy an update to a test 
group and then, if no issues arise with the update, deploy the update more generally. Prior to 
deploying updates, you should perform a synchronization, which ensures that the WSUS server 
is up to date before you choose whether to deploy updates. 

To deploy an update, perform the following steps: 

1. Open the Update Services console and select the Updates\All Updates node. You can 
also select a child node, such as Critical Updates, if you want to view only available criti- 
cal updates. 

2. Set the Approval setting to Unapproved, set Status to Any, and select Refresh. All 
unapproved updates are then listed. 


3. Select one or more updates and then select Approve in the Actions pane. 
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4. Inthe Approve Updates dialog box, select which computer groups the update is 
approved for. You can choose between the following settings: 


= Approved For Install Approves the update. 

= Approved For Removal Removes a previously deployed update. 

m NotApproved Does not approve the update. 

= Keep Existing Approvals Inherits the approval from the parent group. 


= Deadline Specifies an update deployment deadline. 


Automatic approval rules 


Automatic approval rules enable specifically categorized updates to be automatically 
approved. For example, you might choose to automatically approve critical updates for the 
Sydney-Development-Servers WSUS group, as shown in Figure 1-23. 


Add Rule x 


EN Select which updates to approve and the groups for which to approve them. 


Step 1: Select properties 

When an update is in a specific classification 
When an update is in a specifie produet 

Set a deadline for the approval 


Step 2: Edit the properties (click an underlined value) 
When an update is in Cntical Updates 

When an update is in any product 

Approve the update for Sydney-Development-Servers 
Set a deadline for 7 days after the approval at 3:00 AM 


Step 3: Specify a name 


OK Cancel 


FIGURE 1-23 Automatic approval rules 


To configure an automatic approval rule, perform the following steps: 


1. Open the Update Services console. You can do this from the Tools menu of Server 


Manager or by right-clicking the server in a Server group and selecting Windows Server 
Update Services. 


2. Inthe Update Services console, select Options and then select Automatic Approvals. 
In the Automatic Approvals dialog box, select New Rule. 
4. Inthe Add Rule dialog box, choose the following rule options: 


m When An Update Is In A Specific Classification You can choose that the rule 
applies when an update matches a specific classification or number of classifications. 
Update classifications include Critical Updates, Definition Updates, Drivers, Feature 
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Packs, Security Updates, Service Packs, Tools, Update Rollups, and Updates. Micro- 
soft includes classifications for each software update when it publishes the update. 


m When An Update Is For A Specific Product You can specify products, either by 
category, such as Exchange, or by specific product, such as Exchange Server 2013. 


= Approve The Update For A Specific Computer Group The update can be 
approved for selected computer groups. 


= Set An Approval Deadline Sets an installation deadline for the update based on 
the time and date the update was first approved. 


Automatic approval rules aren't suitable for production servers hosting important work- 
loads because it is possible that an update will be installed without being properly tested. 
Automatic approval rules are suitable for test groups. You should populate your test group 
with users who are more likely to offer feedback if something goes wrong. Just as a canary 
in a coal mine was used by miners to detect dangerous gas, “canary users” are likely to raise 
an alarm when a software update causes problems that indicate it shouldn't be deployed ina 
production environment. Users who complain are much more valuable as deployment targets 
for update testing than users who ignore problems and do not provide feedback. 


Manage security updates using Azure Automation 
Update Management 
Azure Update Management allows you to automate the deployment of updates to comput- 
ers running both the Windows and Linux operating systems. You can configure on-premises 
Windows Servers to use Azure Update Management using Windows Admin Center. You can 
also manage the deployment of updates to those servers using Windows Admin Center. Azure 
Update Management differs from WSUS in that it requires a connection to Azure to work and 
cannot be deployed in offline scenarios. It also allows you to force the installation of updates 
on servers remotely, which is something that you can’t directly do using WSUS. 

To configure and use Azure Update Management on a Windows Server managed by Win- 
dows Admin Center, perform the following steps: 

1. In Windows Admin Center, select Azure Hybrid Services node and select Discover Ser- 
vices. In the section describing Azure Update Management, select Set Up. 

2. After some time, you'll be asked whether you want to create a new or use an existing 
resource group to host the Azure elements of Azure Update Management. You'll also be 
asked whether you want to create a new or use an existing log analytics workspace and 
whether you want to create a new or use an existing Azure Automation account. Once 
you've made these decisions, select Set Up. 

3. Once Azure Update has been configured, select Azure Hybrid Services, and then 
select Azure Update Management. 

4. This will open the Azure portal, which will provide a report on all servers that are config- 
ured to report to the Update Management instance. The Update Management instance 
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will provide information on each server associated with it, including which updates are 
missing and the nature of those updates. 


5. To deploy updates, select Schedule Update Deployment in the Update Management 
blade of the Azure console. When configuring a scheduled update, you need to provide 
the following information: 


= Name ofthe update deployment This is especially useful if you configure a 
recurring schedule. 


= Operating system Azure Update Management allows you to deploy updates to 
computers running Windows or Linux operating systems in a single update deploy- 
ment, but not to both operating systems in one deployment. 


m Groups You can configure query-based groups so that the update deployment 
targets computers that meet the criteria that are specified in the query. 


= Machines to update Allows you to select specific computers to which the update 
deployment applies. 


m Update classifications Rather than select specific updates, you configure an 
update deployment so that all updates that meet a specific update classification 
will be deployed (though you do have the option of excluding specific updates by 
Update ID). For Windows computers, the update classifications are Critical Updates, 
Security Updates, Update Rollups, Feature Packs, Service Packs, Definition Updates, 
Tools, and Updates. 


= Include/exclude updates Allows you to choose specific updates based on KBIDs. 
You can find relevant KBIDS in the list of missing updates in the Azure Update Man- 
agement console. 

= Schedule settings Allows you to specify when updates will be deployed. You can 
configure a schedule to recur. When you do this, all updates that meet the classifica- 
tion characteristics specified in the update deployment will be deployed. 

= Maintenance window The amount of time that can be taken to install updates, 
with the final 20 minutes of the assigned maintenance window reserved for restart 
operations. For example, if you set a maintenance window of 120 minutes, the update 
installation will be halted after 100 minutes have elapsed so that restart operations 
can occur. 

= Rebootoptions Allows you to specify whether the server can restart automatically 
after update deployment or whether this step must be performed manually. 


Azure Update Management provides you with more telemetry about which servers need 
updates than WSUS does. 


NEED MORE REVIEW? UPDATE MANAGEMENT 


You can learn more about Azure Automation Update Management at https:// 
docs.microsoft.com/en-us/azure/automation/update-management/overview. 
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Onboard Windows Server using Azure Automanage 


Azure Automanage is a service that automates the deployment of a number of existing ser- 
vices used to secure and monitor Azure laaS VMs, including those running the Windows Server 
operating system. Automanage will onboard and configure the following services for Windows 
Server laaS VMs: 


= Boot diagnostics 

m Security Center 

m Azure monitoring 

m Azure Automation Update Management 
m Azure backup 

m Azure Log Analytics 

m Azure configuration management 

m Change tracking and inventory 

= Azure Automation accounts 


On-premises Azure Arc—enabled servers can use Azure Automanage to enroll on-premises 
systems in the following Azure services: 


m Machines Insights Monitoring 

m Azure Automation Update Management 
m Microsoft antimalware 

m Change tracking and inventory 

m Azure guest configuration 

= Azure Automation accounts 

m Azure Log Analytics 


Each of these Azure services can be enabled and configured on an individual basis for an 
laaS VM or Azure Arc—enabled server. The advantage of Automanage is that it simplifies the 
process of deploying and configuring each of them for you. You can enable Automanage 
through the Azure portal or through Azure Policy. 


NEED MORE REVIEW? AZURE AUTOMANAGE 


You can learn more about Azure Automanage at https://docs.microsoft.com/en-us/azure/ 
automanage/automanage-virtual-machines. 


() ) EXAM TIP 


Remember when installing the Azure Monitor Agent to be used by Microsoft Sentinel, you 
must specify the Azure Log Analytics workspace ID and the workspace key. 
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Skill 1.4: Secure Windows Server networking 


Network traffic carries sensitive information that you don’t want intercepted by third parties 
as it travels across your organizational network or across the internet. Networks are also the 
primary vector for attackers as they use special tools to probe and penetrate the TCP ports of 
your organization's infrastructure. In this section, you'll learn how you can protect Windows 
Server using the built-in firewall feature as well as how to implement connection security rules 
so that critical servers will only communicate with authenticated hosts. 


This section covers how to: 
m Manage Windows Defender Firewall 
m= Implement connection security rules 


= Implement domain isolation 


Manage Windows Defender Firewall 


Windows Defender Firewall with Advanced Security (WDFAS) is a bidirectional, host-level 
firewall. This means not only can you set it to protect a host from incoming traffic, you can also 
have it block all or specific outgoing traffic. Generally, you can control outbound traffic only 
on very sensitive hosts. Controlling outbound traffic minimizes the chance of malware infect- 
ing the server that is phoning home. On sensitive hosts, you should allow outbound traffic on a 
per-application rule. For example, you should create a rule to allow a specific browser to com- 
municate with the internet rather than just allowing outbound traffic on port 80. 


WDFAS allows for the creation of rules based on program, port, or predefined rules. There 
are 45 predefined rules, which include categories such as Remote Desktop, Windows Firewall 
Remote Management, File and Printer Sharing, and Core Networking. One of the useful things 
about WDFAS is that it generally enables the appropriate firewall rules when you enable a spe- 
cific role, role service, or feature. These default rules are appropriate most of the time, but you 
may wish to edit the properties of these rules to make them more secure. 


Firewall profiles 


Firewall profiles allow you to treat traffic differently depending on the network to which the 
computer is connected. For example, the same server might be connected to the following: 


m Aremote site through a VPN connection that has the private profile applied 
= A perimeter network by a network adapter, where the connection has the public profile 
applied 


= To the organization's internal network through a second adapter that has the domain 
profile applied 


Secure Windows Server on-premises and hybrid infrastructure 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


The advantage of separate profiles is that each one allows you to have separate sets of 
firewall rules applied. You might allow Distributed File System (DFS) traffic on one profile, web 
traffic on another, and SMTP traffic on a third. 


Profiles are independent of each other; the settings that you configure for one profile do 
not apply to other profiles. You can configure the following properties for each profile: 


m Firewall State You can set this to On (default) or Off. 


= Inbound Connections You can set this to Block (default), Block All, or Allow. The 
Block All setting means firewall rules that allow connections are ignored. 


= Outbound Connections You can set this to Block or Allow (default). 


m Settings This allows you to configure whether notifications are displayed, whether 
unicast responses are transmitted to multicast or broadcast traffic, and whether to 
merge rules when rules apply both locally and through Group Policy. 


m Logging This allows you to specify logging settings. 


Firewall logs are written to the %systemroot%\system32\LogFilres\Firewall\pfirewall.log file. 


The default settings do not log dropped packets or successful connections, which means that, 
unless you change the defaults, nothing is logged. Firewall logging is most useful when you've 
determined that a particular service is unavailable to the network because of the firewall. 


You can turn on firewall logging on a per-profile basis by selecting the Customize button 
next to Logging on each profile’s properties page. This displays the Customize Logging Set- 
tings dialog box shown in Figure 1-24. You can then enable logging for dropped packets and 
successful connections. If you are having trouble with a newly installed service on a server, 
enable the logging of dropped packets to determine the properties of the packets dropped so 
that you can create a firewall rule that allows your service to be accessed from the network. 


Customize Logging Settings for the Domain Profile x 
Name: ‘\system32\Logfiles\Frewall\pfrewalllog| | Browse] 
Size limit (KB): 4,096 > 
Log gropped packets: No @efaut) {v 
Log successful connections: No (defauh) {v 


Note: if you are configuring the log file name on Group Policy object, ensure 
that the Windows Firewall service account has write permissions to the folder 
containing the log file. 


Default path forthe log file is 
‘systemroot’,\system32\oghiles firewall \pfirewall Jog. 


OK Cancel 


FIGURE 1-24 Custom Logging Settings 


Inbound rules 


Inbound rules are based on program, port, or one of 45 predefined categories, such as 
BranchCache Content Retrieval or Network Policy Server. You can also create custom rules 


Skill 1.4: Secure Windows Server networking 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


69 


70 


that include a mixture of these, where you specify a program and a port as well as a rule scope. 
For example, you can use a custom rule to block all incoming traffic on port 80 to a particular 
application but not block port 80 traffic to other applications on the server. The basic aspects 
of creating a firewall rule involve: 


Specifying a program or port When you specify a port, you must choose whether 
the rule applies to TCP or UDP traffic. 


Specifying what action should be taken You can allow the connection, in which 
case, all traffic that matches the rule is allowed by the firewall. You can allow the con- 
nection if it is authenticated, in which case, traffic that meets the IPsec authentication 
requirements and the connection security rules is allowed, but traffic that is not prop- 
erly authenticated according to these conditions is dropped. 


Specifying the network profiles in which the rule applies In general, rules should 
apply in all profiles, but there might be circumstances where you want to allow traffic 
from an interface connected to a domain network but block the same traffic if it comes 
from an interface connected to a public network. 


After you have created the rule, you can then edit the rule's properties. Editing the rule's 
properties allows you to configure more advanced options than are present in the Rule Cre- 
ation Wizard. By editing a rule's properties, you can 


Configure a rule to apply to a service rather than just a program. 


Limit the computers that can make authenticated connections. By default, if you config- 
ure the Allow Traffic If The Connection Is Authenticated option, any computer that 
can authenticate is able to successfully transmit traffic. By editing a firewall’s rules, you 
can limit traffic to specific computers, rather than all authenticated computers. You can 
do the same with user accounts, limiting successful connections to specific users when 
authentication has successfully occurred. 


Edit the rule’s scope, which is the local and remote IP address ranges to which the rule 
applies. You can also do this when you create a custom rule. 


Configure whether the rule applies to specific network interfaces, instead of just 
network profiles. For example, if your computer has two network adapters, you can 
configure a rule to apply so that it allows traffic on one adapter but not the other when 
both adapters have the same profile set. 


Configure whether or not to allow packets that have passed across a Network Address 
Translation (NAT) device. 


Creating outbound rules 


Default settings for Windows Defender Firewall with Advanced Security do not block out- 
bound traffic. In high-security environments, you should consider using outbound rules to 
block all but authorized outbound traffic. 


The process for creating an outbound rule is almost identical to the process for creating 
an inbound rule. You specify the rule type in the New Outbound Rule Wizard; you specify 
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whether the connection is blocked, allowed, or allowed only if authenticated; and you specify 
the network profiles in which the rule is active. By editing the properties of the rule after the 
rule is created, you can configure all of the advanced options configurable for inbound rules, 
such as rule scope, specific network interfaces, and to which computers or users the rule allows 
outbound connections. 


Configuring IPsec 


The IPsec Settings tab of Firewall Properties allows you to configure how IPsec is used when 
applied in connection security rules. On the tab itself, shown in Figure 1-25, you can configure 
whether you want to customize the IPsec defaults, exempt Internet Control Message Protocol 
(ICMP) traffic from IPsec, and whether you want to configure IPsec tunnel authorization. 


Windows Firewall with Advanced Security on Local Computer Pro... X 
Domain Profile Private Profile Public Profile IPsec Settings 
IPsec defaults 


Specify settings used by IPsec to 
te pacers aranan 


IPsec exemptions 
E Exempting ICMP from all IPsec requirements can simplify 
QLI troubleshooting of network connectivity issues. 
Exempt ICMP from IPsec: No (defaut) v 


IPsec tunnel authorization 
Kl Speciyihe users and computers that are authorized to 
alg establish IPsec tunnel connections to this computer. 


@ None 
O Advanced 


wa WAE 


FIGURE 1-25 IPsec Settings 


Exempting ICMP traffic can be useful for diagnostic purposes because many administrators 
use the ping utility to diagnose whether a host has network connectivity. If connection security 
rules are enabled, the default IPsec settings mean that a successful IPsec negotiation must 
occur prior to an ICMP response being sent. If the IPsec negotiation is the problem, enabling 
ICMP response allows you to verify that there is network connectivity and that the problem lies 
just a bit further up the network stack. 

If you select the Customize button next to the IPsec defaults, you can change the Key 
Exchange, Data Protection, and Authentication Method (see Figure 1-26). The default key 
exchange uses the Diffie-Hellman Group 2 key exchange algorithm with a key lifetime of 480 
minutes. You can modify these settings so that they use more secure methods, but this may 
reduce the ability to interact with some third-party devices. 
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Customize IPsec Defaults x 


IPsec will use these settings to establish secured connections when 


When you use the default options. any settings in a GPO with a higher 
precedence are used. 


Key exchange (Main Mode) 
O Defaut (ecommended) 


© Advanced 


OK Cancel 


FIGURE 1-26 Customize IPsec Defaults 


The data protection settings allow you to configure the algorithms used for data integrity 
and encryption. Normally, there isn’t much reason to change this; however, if you feel you need 
the strongest encryption possible to protect your organization's network traffic, you can use 
a different algorithm, such as AES-CBC with a 256-bit key length. In general, the stronger the 
encryption, the greater the resources needed to support that encryption. Although you can 
make the protection a lot stronger, the benefit of doing so might be only marginal given the 
value of the data being protected. 


The default authentication method used for IPsec connections is Computer (Kerberos V5). 
This means that a domain controller must be present to verify the identity of each computer 
before an IPsec session can be established. You can also use Computer (NTLMv2), a computer 
certificate from this certificate authority (CA) or a preshared key to authenticate IPsec con- 
nections. A preshared key is not a recommended method of authentication, but it might be 
necessary if there is no certificate services infrastructure and computers aren't members of a 
domain. 


Implement connection security rules 


Connection security rules are a more intelligent type of firewall rule than a simple port-based 
rule. An interesting adaptation to firewalls has been an increase of traffic through ports tradi- 
tionally used for common applications. Connection security rules are about trusting incoming 
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connections based on the identity of the remote host, rather than the remote host's network 
address or the communication port it uses. 


Tunnel rules 


Tunnel rules allow client computers to communicate with computers on a secure network 
behind a remote gateway. For example, if you have a single server located at a branch office 
that you want to connect to an internal network at another office, using a tunnel rule, you 
specify the location of a host that functions as a gateway to that secure network. This allows 
you to create an IPsec tunnel through which secure communication can occur. 


To create a tunnel rule, perform the following steps: 


1. In Windows Defender Firewall With Advanced Security, right-click the Connection Secu- 
rity Rules node and then select New Rule. This opens the New Connection Security Rule 
Wizard. Select Tunnel Rule. 

2. On the Tunnel Type page, shown in Figure 1-27, determine the type of tunnel that you 
want to create. To create the type of rule outlined earlier, select Client-to-gateway. 


@ New Connection Security Rule Wizard x 
Tunnel Type 
Select the type of tunnel to create, 

ee What type of tunnel would you like to create? 
@ Rule Type 
@ Tunnel Type © Custom configuration 
e so Specify the tunnel endpoints and the computers that can be reached at ether end of the tunnel. 
@ Tunnel Endpoints @ Gientto-gateway 

Use the local computer as one endpoint. Specify the remote tunnel endpoint and the computers 

@ Authentication Method that can be reached through the tunnel 
© Profile O Gatewayto-client 
a Name Use the local computer as a tunnel endpoint at one end of the tunnel. Specify the computers that 


can be reached through the tunnel by a remote chent. 


Would you like to exempt IPsec protected connections from this tunnel? 

© Yes. Ea network connection is already protected by IPsec through another connection securty 
tule, do not send the network packets for the connection through the tunnel 

® Ng. Send al network traffic that matches this connection security rule through the tunnel. 


[eek] Caneel 


FIGURE 1-27 Tunnel Type 


3. Choose whether you wish to require authentication for inbound and outbound 
connections. 


4. Specify the address of the computer that functions as the gateway to the secure 
network. 
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5. Specify the authentication method. The default is to use a computer certificate issued bya 
designated CA. You can also specify computer-based Kerberos, NTLMv2, or preshared key. 


6. Specify the firewall profiles in which this connection security rule applies and add a 
name for the rule. 


Authentication exemptions 


Authentication exemptions allow you to create very specific holes in connection security rules. 
These are useful in the event that you want to remotely manage a server but all the servers that 
would normally authenticate your connection, such as certificate servers or domain controllers, 
are unavailable. Authentication exemptions override existing connection security rules. 


When you create an authentication exemption, you define the exemption on the basis 
of the source computer's IP address. As Figure 1-28 shows, you do this using a single IPv4 or 
IPv6 address, an IP address range, or a predefined set of computers. For security reasons, you 
should limit the number of IP addresses for which you create authentication exemptions to one 
or two specific privileged-access workstations. 


IP Address x 
Specify the IP addresses to match: 


@ This IP address or subnet: 
192.168.15.101 | 
Examples: 192.168.0.12 

192.168.1.0/24 


2002:9d3b:1831:4:208:74f fe39:6c43 
2002:$d3b:14a31:4:208:74ff fe39:0/112 


O This IP address range: 


From: 


C] [cence 


FIGURE 1-28 Authentication exemption 


To create an authentication exemption, perform the following steps: 


1. In Windows Defender Firewall With Advanced Security, right-click the Connection Secu- 
rity Rules node and then select New Rule. This opens the New Connection Security Rule 
Wizard. Select Authentication Exemption. 

2. Inthe Exempt Computers dialog box, select Add. In the IP Address dialog box, enter 
the IP address, subnet, or IP address range of the computers that you wish to exempt 
from connection security rules. You can also choose from a list of predefined addresses, 
including the Default Gateway, DHCP servers, the local subnet, or DNS servers. 


3. Select the profile to which you want the rule to apply and specify a rule name. 
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Implement domain isolation 

Isolation rules allow you to limit communication so that a server or computer communicates 
only with computers that have authenticated with it. Sometimes, these are called domain isola- 
tion policies because they limit hosts to only communicating with other servers that are mem- 
bers of the same Active Directory forest. When you configure an isolation rule, it applies to all 
traffic from all hosts; this is unlike tunnel or server-to-server rules, which apply to traffic to and 
from specific hosts. Requiring authentication on both inbound and outbound connections is 
the strongest form of protection because it means that communication can be performed only 
with authenticated hosts. 


To create an isolation rule, perform the following steps: 


1. In Windows Defender Firewall With Advanced Security, right-click the Connection Secu- 
rity Rules node and then select New Rule. This opens the New Connection Security Rule 
Wizard. Select Isolation and then select Next. 


2. On the Requirements page, as shown in Figure 1-29, choose one of the following: 
= Request authentication for inbound and outbound connections 
= Require authentication for inbound connections and request authentication 
for outbound connections 


= Require authentication for inbound and outbound connections 


@ New Connection Security Rule Wizard 


Requirements 
Specify the authentication requirements for connections that match this nde. 


Steps: 

@ Rule Type When do you want authentication to occur? 

æ Requirements 

@ Authentication Method @© Request authentication for inbound and outbound connections 

a Profile Authenticate whenever possible but authentication is not required. 

@ Name © Require authentication for inbound connections and request authentication for 
outbound connections 


Inbound connections must be authenticated to be allowed. Oulbound connections are 
authenticated whenever possible but authentication is not required. 


© Require authentication for inbound and outbound connections 
Both inbound and outbound connections must be authenticated to be allowed. 


FIGURE 1-29 Connection security rule 
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Choose the authentication method. The default is to use the authentication method 
specified on the IPsec Settings tab of Firewall Properties. You can also choose between 
computer and user leveraging Kerberos version 5, or you can configure advanced 
authentication options, which include certificate-based authentication. It is also pos- 
sible, though not recommended, to use a preshared key for authentication, which is 
useful when you need to communicate with computers running third-party operating 
systems. 


The final step in setting up a connection security rule is to configure the profiles in which 
the rule applies. Unless there is a good reason otherwise, you should apply connection 
security rules in all profiles. 


Server-to-server rules are used to authenticate communication between two groups of 
computers. This can be a rule authenticating and encrypting a single computer-to-computer 
connection, such as between a web server and a database server or between computers on 
two separate subnets. Server-to-server rules differ from isolation rules; isolation rules apply to 
communication from all hosts, whereas server-to-server rules apply to specific hosts. 


To create a server-to-server rule, perform the following steps: 


1; 


In Windows Defender Firewall With Advanced Security, right-click the Connection Secu- 
rity Rules node and then select New Rule. This opens the New Connection Security Rule 
Wizard. Select the Server-To-Server rule. 


On the Endpoints page, enter the IP addresses of the computers that are at one end 
of the connection and the IP addresses of the computers that are at the other end 
of the connection. Figure 1-30 shows a rule defining one endpoint as the subnet 
192.168.15.0/24 and the other endpoint as subnet 192.168.16.0/24. 


On the Requirements page, specify how you want authentication to occur. If you 
want only this computer to communicate on the profile using encrypted and authen- 
ticated connections, select Require authentication for inbound and outbound 
connections. 

Specify the authentication method. The default is to use a computer certificate issued 
by a designated CA. You can also specify computer-based Kerberos, NTLMv2, or a 
preshared key. 


Specify the firewall profiles in which this connection security rule applies and add a 
name for the rule. 


EXAM TIP 


Remember that exempting ICMP traffic can be useful for diagnostic purposes because many 


administrators use the ping utility to diagnose whether a host has network connectivity. 
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@ New Connection Security Rule Wizard x 


Endpoints 
Specify the computers between which secured connections will be established using IPsec. 


Steps: 
è Rule Type Create a secured connection between computers in Endpoint 1 and Endpoint 2. 
@ Endpoints Which computers are in Endpoint 1? 

@ Requirements © Ary IB address 

@ Authentication Method 
@ Profile 

@ Name 


Customize the interface types to which this rule apples: Cystomize... | 
Which computers are in Endpoint 2? 
O Any IP address 
@ These IP addresses: 
[192.168.16,0/28 E Add... 


FIGURE 1-30 Connection security rule endpoints 


Skill 1.5: Secure Windows Server storage 


Server storage, be it physical or virtual, often holds critical information. BitLocker allows you 
to encrypt the storage so that if a physical disk goes missing or a virtual disk somehow is exfil- 
trated from Azure, the contents of that disk cannot be read by mounting it to another Win- 
dows Server computer. In this section, you'll learn how to configure BitLocker for on-premises 
Windows Server instances and instances of the operating system running in Azure. 


This section covers how to: 

m Manage Windows BitLocker Drive Encryption (BitLocker) 
m Manage and recover encrypted volumes 

m Enable storage encryption by using Azure Disk Encryption 


Manage disk encryption keys for laaS virtual machines 
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Manage Windows BitLocker Drive Encryption (BitLocker) 


BitLocker is a full-volume encryption and boot environment protection technology. By deploy- 
ing BitLocker, you can ensure that a nefarious third party can't use a USB boot device to boot a 
computer in your organization and extract data from the hard disk, or simply remove the hard 
disk for later data extraction. The boot environment protection technology protects against 
modifications to the boot environment. When a change to the boot environment is detected, 
the BitLocker recovery key must be entered to authorize the changes. 


BitLocker is often deployed with client computers, but it can also be deployed on servers 
to protect stored data. BitLocker protects data from being extracted from the hard drive only 
while the operating system is functioning. Users who can sign on to a computer are usually 
unaware that the data they are accessing is stored in an encrypted manner on the hard disk. It 
is only when the hard disk is connected to another computer that it is inaccessible unless the 
appropriate recovery keys are available. You can use BitLocker on VMs that have access to a 
virtual Trusted Platform Module (TPM) chip. 


BitLocker requirements 


BitLocker can be used with or without a TPM chip. A TPM chip provides the highest level of 
security and while it’s not a requirement for Windows Server 2022, one is a requirement for 
computers running Windows 11 or later. With a TPM chip, you can configure boot environment 
protection. When boot environment protection is enabled, the integrity of the boot environ- 
ment is checked each time the computer boots. If a modification to the boot environment has 
been made, the computer will be forced into BitLocker Recovery mode. 


You configure the BitLocker mode using Group Policy. Options include: 


= TPM-Only Mode When you configure this mode, the user is not prompted for a 
password ora PIN. This mode offers boot integrity protection. You can use this mode 
on servers when you have a TPM; you don’t have Unified Extensible Firmware Interface 
(UEFI) that supports Dynamic Host Configuration Protocol (DHCP) and therefore doesn't 
support Network Unlock; and you want to protect the volume and have environment 
protection but don't want to enter a password or PIN each time a reboot is required. 


= TPM Allow Startup Key When you configure this mode, the computer can boot only 
when a specially prepared USB device is connected. This mode provides boot environ- 
ment protection and can be used with Network Unlock on computers that meet the 
Network Unlock requirements. 


= TPM With PIN/Password This is the most commonly used secure method of using 
BitLocker. It requires someone to perform authentication to boot without all the hassle 
of ensuring you never lose the startup key USB device. To boot, a password or PIN must 
be entered manually. In environments with Network Unlock, the PIN or password is not 
necessary. 


= TPM With PIN/Password And Startup Key This option is the most secure because 
it requires a TPM and a boot PIN/password, and that a USB device with a startup key be 
connected. This level of security might be appropriate if you have an offline root CA. 
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m Startup Key This option enables a computer to boot if the startup key is present. This 
option encrypts the hard drive but does not provide boot integrity protection. 


= PIN/Password This option enables a computer to boot if a password/PIN is entered. 
This option encrypts the hard drive but does not provide boot integrity protection. 


BitLocker To Go is a version of BitLocker that can be used with removable storage devices, 
including mounted virtual hard disk files. When connecting the BitLocker-protected device, 
a user needs to enter a password. After the password is entered for the device, it can be used 
with a compatible operating system. 


BitLocker Group Policy 


You configure BitLocker using the policies located in the \Computer Configuration\Policies\ 
Administrative Templates\Windows Components\BitLocker Drive Encryption node of a Group 
Policy Object (GPO). These policies enable you to perform the following tasks: 


= Configure BitLocker to store recovery information in Active Directory 
m Choose a default network folder location of recovery passwords 

m Configure encryption method and strength 

= Configure startup authentication 

= Configure organizational identifiers 


m Block access to removable volumes not encrypted and configured with the organiza- 
tional identifier 
You can configure separate policies for operating system drives, fixed data drives, and 
removable data drives. If you configure a computer to use BitLocker, you should ensure that 
all drives are protected because it minimizes the chance that an unauthorized third party can 
recover data. 


BitLocker recovery 


BitLocker enables you to use a recovery key if you need to boot a computer with a TPM chip 
when the boot environment has changed or if you need to recover data from a BitLocker- 
protected volume if something has happened to the computer that originally hosted the 
volume. When you use BitLocker to encrypt a drive, you have the option of saving the BitLocker 
key in a location on a volume that is not encrypted. This file is saved as a text file that includes 
an identifier and a recovery key. The drawback of this method is that managing the text files 
quickly becomes difficult after you have more than a few computers using BitLocker. 

There are two better methods that you can use to manage BitLocker recovery keys: 

= Active Directory backup 

m Data Recovery Agent (DRA) 


When enabled, the Store BitLocker Recovery Information in the Active Directory Domain 
Services (AD DS) policy backs up BitLocker recovery information to Active Directory. When 
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enabled, administrators can view BitLocker recovery information, as in Active Directory Users 
and Computers, through a computer account's properties. You can configure this policy so 
that BitLocker is enabled only when successful backup occurs. When there are changes, these 
changes are automatically backed up. You can back up passwords/PINs, recovery keys, or both. 


Recovering data from a BitLocker-protected volume if the host computer fails requires that 
you have access to the recovery key, which you use with a special utility that can then mount 
and read the volume, or you have configured a DRA. You configure the BitLocker DRA by add- 
ing a DRA certificate to the Computer Configuration\Policies\Windows Settings\Security Set- 
tings\Public Key Policies\BitLocker Drive Encryption node. If a volume has been encrypted prior 
to the configuration of this policy, you need to remove and then reapply BitLocker to ensure 
that the DRA certificate can decrypt encrypted volumes. When BitLocker is configured with a 
DRA, any computer with the appropriate certificate installed can mount and access BitLocker- 
encrypted volumes. 


Configuring Network Unlock 


When you implement BitLocker using the PIN/password options, users need to enter their 

PIN or password each time they boot the computer. Users tend to deal with this issue in a 
variety of ways, including leaving the computer in a permanently powered-on state so that 
they don’t have to go through the rigmarole of entering the PIN or password at startup each 
time. This requirement also causes problems when performing software and operating system 
maintenance operations that require a reboot. A computer forced to reboot that requires a 
PIN or password can't fully boot until that PIN or password is provided. If multiple reboots are 
required, multiple PIN or password entries must be made during each reboot. 


BitLocker Network Unlock enables computers configured for BitLocker that are connected 
to the internal wired network to bypass the requirement to enter the PIN or password. Bit- 
Locker Network Unlock works only if the computer is connected to the internal wired network 
and only if the computer meets a specific set of hardware requirements. If the computer, such 
as a laptop computer, reboots when disconnected from the internal wired network, then the 
BitLocker PIN or password must be entered as normal. 


NEED MORE REVIEW? BITLOCKER NETWORK UNLOCK 


You can learn more about BitLocker Network Unlock at https://docs.microsoft.com/en-us/ 
previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj574173(v=ws.11). 


BitLocker Network Unlock has the following requirements: 


= Computer hardware must have UEFI DHCP drivers. Because Hyper-V doesn't emulate 
UEFI with DHCP functionality, you can’t use Network Unlock with BitLocker-protected 
VMs. You can use Network Unlock with Hyper-V hosts protected by BitLocker. 


m The BitLocker Network Unlock feature must be installed. 
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Windows Deployment Services (WDS) must be installed and configured on a domain- 
joined computer. 


The DHCP server role must be installed and configured on a domain-joined computer. 


A network key must be installed on each computer configured with BitLocker’s system 
volume. This key must be encrypted using a 2,048-bit RSA public key stored on the 
server hosting the BitLocker Network Unlock feature. The Network Unlock key requires 
you to configure a custom certificate template based off the user template. This certifi- 
cate requires a minimum key size of 2,048 bits and must use the RSA algorithm and an 
object identifier (OID) of 1.3.6.1.4.1.311.67.1.1. 


BitLocker Network Unlock Group Policy settings must be configured. You configure this 
policy by adding the BitLocker Network Unlock certificate to the \Computer Configura- 
tion\Policies\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive 
Encryption Network Unlock Certificate node. 


Manage BitLocker with PowerShell 


You can use the following PowerShell cmdlets to manage BitLocker on Windows Server 
instances: 


Add-BitLockerKeyProtector Adds a key protector for a BitLocker volume. You can 
use this cmdlet to add multiple startup key protectors rather than a single key protector 
such asa TPM 


Backup-BitLockerKeyProtector Saves a key protector for a specific BitLocker pro- 
tected volume to AD DS 


Clear-BitLockerAutoUnlock Removes BitLocker automatic unlocking keys 
Disable-BitLocker Disables BitLocker encryption for a specific volume 
Disable-BitLockerAutoUnlock Disables automatic unlocking for a BitLocker volume 
Enable-BitLocker Enables BitLocker for a volume. 


Enable-BitLockerAutoUnlock Enables automatic unlocking of a specific BitLocker- 
encrypted volume 


Get-BitLockerVolume View information about the BitLocker status of volumes on a 
computer 


Lock-BitLocker Blocks access to encrypted data on a BitLocker volume 
Remove-BitLockerKeyProtector Removes a key protector from a BitLocker volume 
Resume-BitLocker Restores BitLocker encryption for a specific volume 
Suspend-BitLocker Suspends the BitLocker encryption process for a specific volume 


Unlock-BitLocker Allows access to data on a BitLocker-encrypted volume 
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NEED MORE REVIEW? BITLOCKER POWERSHELL CMDLETS 


You can learn more about BitLocker PowerShell cmdlets at https://docs.microsoft.com/en-us/ 
powershell/module/bitlocker/?view=windowsserver2019-ps. 


Manage and recover encrypted volumes 


Assuming that you have backed up a volume’s BitLocker encryption keys by storing the key 
somewhere, backing it up to Active Directory, or configuring a Data Recovery Agent, you have 
the ability to recover the data on a BitLocker-protected volume. For example, you might have 
a server where the motherboard or CPU suffers a failure, taking the TPM chip with it, and you 
need to recover the data on the encrypted volume. 


You can trigger recovery from the command prompt by running the command 
Manage-bde.exe -forcerecovery <volume> 

You can also use this command to perform the recovery of an encrypted volume on a 
remote computer by using the ComputerName parameter. For example: 


Manage-bde.exe -ComputerName <ComputerName> -forcerecovery <volume> 


When retrieving passwords from AD DS, there might be multiple BitLocker recovery pass- 
words associated with a computer account. When you view the properties of the computer 
object, the date that the password was written to AD DS will be included with each recovery 
password. There will also be a password ID associated with the volume that will be available 
when using the manage-bde.exe tool that will be associated with the recovery password stored 
with the AD DS object. 


If you cannot use manage-bde.exe because the encrypted volume is damaged, you can 
attempt to perform recovery using the BitLocker Repair tool repaire-bde.exe. To be able to use 
this tool you need to ensure that the BitLocker key package is saved to AD DS. You can ensure 
that this is done by choosing the Backup recovery password and key package option in the 
Group Policy settings associated with the recovery message. 


NEED MORE REVIEW? BITLOCKER RECOVERY GUIDE 


You can learn more about BitLocker recovery at https://docs.microsoft.com/en-us/ 
previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn383583(v=ws.11). 


Enable storage encryption by using Azure Disk Encryption 


Azure storage encrypts data at rest by default. Azure uses an Encryption at Rest design that 
leverages symmetric encryption to encrypt and decrypt large amounts of data. This model 
uses the following process: 


m Asymmetric encryption key is used to encrypt data as data is written to storage. 


m The same encryption key is used to decrypt any data as it is loaded into memory. 
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m You can partition data so that different keys are used for each data partition. 

m By default the key used for storage encryption is managed and maintained by Azure. 
You can use an encryption key that you manage yourself for storage encryption. This 
might be required for regulatory reasons in some jurisdictions. 

m Azure managed disks are encrypted using a technology called storage server-side 
encryption. 

Azure Disk Encryption differs from storage server-side encryption in the following ways: 

m An Azure VM can use managed disks that are encrypted at rest using storage server- 
side encryption. 

m Azure Disk Encryption uses a customer-managed encryption key stored in an Azure Key 
Vault. Azure Disk Encryption for Windows Server laaS VM leverages BitLocker. 

m You can use Azure Disk Encryption with managed disks encrypted using storage server- 
side encryption as long as the managed disks use an Azure-managed key. 


m Ifyou choose to use a customer-managed key for storage server-side encryption, you 
won't be able to encrypt the VM using Azure Disk Encryption as the technology does 
not support this scenario. 


NEED MORE REVIEW? AZURE DISK ENCRYPTION 


You can learn more about Azure Disk Encryption at https://docs.microsoft.com/en-us/azure/ 
security/fundamentals/azure-disk-encryption-vms-vmss. 


Manage disk encryption keys for laaS virtual machines 


Azure Disk Encryption for Windows Server VMs is able to use BitLocker disk encryption with 
the appropriate cryptographic keys stored in an Azure Key Vault and accessible only to the VM 
through the VM's managed identity. 

To support laaS VM disk encryption, the Windows Server laaS VM must be able to do the 
following. (By default, laaS VM can do this unless you remove the default network security 
group rules.) 

m The server must be able to connect to the Key Vault endpoint so that the Windows 
Server laaS VM can store and retrieve encryption keys. 

m The server must be able to connect to an Azure Active Directory endpoint at http:// 
login.microsoftonline.com so that it can retrieve a token that allows it to connect to the 
Key Vault that holds the encryption keys. 

m The server must be able to connect to an Azure storage endpoint that hosts the Azure 


extension repository and the Azure storage account that stores the VM’'s virtual hard 
disks. 


Skill 1.5: Secure Windows Server storage 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


83 


m If the Windows Server laaS VM is domain joined, do not configure BitLocker-related 
Group Policies, other than the Configure User Storage Of BitLocker Recovery Informa- 
tion: Allow 256-Bit Recovery Key policy. This policy is usually configured automatically 
during the encryption process, and Azure Disk Encryption will fail if a Group Policy 
conflict in any TPM or BitLocker-related policies exists. 


m Azure Disk Encryption supports encrypting both the boot and data volumes. 
m Azure Disk Encryption can only encrypt mounted volumes. 
Perform the following steps to encrypt the hard disk drives of a Windows Server laaS VM: 
1. Create an Azure Key Vault to store the encryption key used to encrypt the hard disk of 
the VM. You can do this with the following code: 


az keyvault create --name "KeyVaultName" --resource-group "VMResourceGroup" 
--location AzureRegion --enabled-for-disk-encryption 

2. You can create a key yourself and use that or automatically have a key created and 
placed in the specified Azure Key Vault by the encryption process. 


3. To encrypt a VM using Azure CLI, issue the following command, identifying the Azure 
Key Vault that you created in step 1: 
az vm encryption enable -g VMResourceGroup --name VMName --disk-encryption- 
keyvault KeyVaultName 
You can rotate encryption keys using the same command you used to enable disk encryp- 
tion but specifying a different Key Vault. If you want to add an encryption key, run the az vm 
encryption enable command and pass the --key-encryption-key parameter. You can remove 
the key encryption key by running the command once more but omitting this parameter. Win- 
dows Server 2022 can use RSA 3072 or RSA 4096-bit encryption keys but cannot use an RSA 
2048-bit encryption key. Versions of Windows Server prior to Window Server 2022 should use 
RSA 2048-bit encryption keys. 
Azure Backup includes a mechanism to back up and restore an Azure Disk Encryption- 
encrypted VM as long as the Recovery Services Vault is in the same subscription and region as 
the encrypted laaS VM. 


NEED MORE REVIEW? AZURE DISK ENCRYPTION FOR WINDOWS VMS 


You can learn more about Azure Disk Encryption for Windows VMs at https://docs.microsoft.com/ 
en-us/azure/virtual-machines/windows/disk-encryption-overview. 


v EXAM TIP 


Remember that you need an Azure Key Vault present before you can enable Azure Disk 
Encryption. 
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Chapter summary 


m Windows Defender for Endpoint provides an antimalware solution for Windows Server 
systems. 


m Windows Defender Credential Guard protects against pass-the-hash attacks. 


m Password policies allow you to control how complex, how long, and how often 
passwords should be changed. 


m You can use password block lists to stop users from including commonly used words or 
phrases in their passwords. 


m Adding a user to the protected users group increases the security settings assigned to 
that user. 


m You can use the Delegation of Control Wizard to assign specific permissions, such as 
reset password over an OU, to a specific security group. 


m You can use Microsoft Sentinel to monitor security telemetry from on-premises servers 
and Azure laaS VMs. 


m You can use connection security rules to implement domain isolation policies. 


m You can use Group Policy to ensure that BitLocker encryption keys are stored with a 
computer account in AD DS. 


m You can use Azure Disk Encryption to enable BitLocker on laaS VMs after you create and 
configure an Azure Key Vault. 


Thought experiment 


In this thought experiment, demonstrate your skills and knowledge of the topics covered in this 
chapter. You can find answers to this thought experiment in the next section. 

You are the security administrator at Tailwind Traders responsible for Windows Server com- 
pute workloads. Tailwind Traders has 100 Azure Arc-enabled Windows Server 2022 computers 
running as VMs and physical servers across five branch offices in Australia and New Zealand. 
You are using Microsoft Defender for Servers, a part of Microsoft Defender for Cloud, to secure 
these computers. With this information in mind, answer the following questions: 

1. What feature can you use to ensure that only applications that regularly execute on 
the Windows Server instances can run? 


2. What feature can you use to determine if critical system files have been modified on 
the Windows Server instance? 


3. What feature can you use to determine if any security vulnerabilities exist on the 
Windows Server instances? 


Thought experiment 
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Thought experiment answers 


This section contains the solution to the thought experiment. Each answer explains why the 
answer choice is correct. 


1. Adaptive Application Control allows you to monitor the applications that run on 
Azure Arc—enabled servers and to block unusual applications from executing. 


2. You can use File Integrity Monitoring to determine whether critical system files have 
been modified on the Windows Server instance. 


3. You can use threat and vulnerability management to determine if there are any secu- 
rity vulnerabilities on Arc-enabled Windows Server instances. 
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Implement and manage 
Windows Server High 
Availability 


The primary high-availability technology available in Windows Server is failover clustering. 
Clustering allows you to ensure that your workloads remain available if server hardware 

or even a site fails. You can configure Windows Server failover clustering for on-premises, 
hybrid, and Azure hosted workloads. Understanding Windows Server high availability 
involves knowing the requirements for configuring a failover cluster and how to manage that 
cluster. This chapter also addresses the deployment, configuration, and management of the 
highly available Windows Server storage technology named Storage Spaces Direct. 


Skills covered in this chapter: 
m Skill 2.1: Implement a Windows Server failover cluster 
m Skill 2.2: Manage failover clustering 


m Skill 2.3: Implement and manage Storage Spaces Direct 


Skill 2.1: Implement a Windows Server failover cluster 


This objective deals with managing Windows Server failover clusters that are deployed 
on-premises, in a hybrid configuration, and in Azure. To master this objective, you'll need to 
understand Windows Server failover clustering requirements, possible cluster configurations, 
and the types of cluster workloads that you can deploy. 


This skill covers how to: 

m Implement a failover cluster on-premises, hybrid, or cloud-only 
m Create a Windows failover cluster 

m Stretch cluster across datacenter or Azure regions 


= Configure storage for failover clustering 
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= Modify quorum options 

= Configure network adapters for failover clustering 
= Configure cluster workload options 

= Configure cluster sets 

m Create an Azure witness 

= Configure a floating IP address for the cluster 


= Implement load balancing for the failover cluster 


Implement a failover cluster on-premises, hybrid, 
or cloud-only 


The primary high-availability technology available in Windows Server is failover clustering. 
Failover clustering is a stateful, high-availability solution that allows an application or service to 
remain available to clients if a host server fails. You can use failover clustering to provide high 
availability to applications such as SQL Server and to scale out file servers and virtual machines 
(VMs). With clustering, you can ensure that your workloads remain available if server hardware 
or even a site fails. 


Failover clustering is supported in both the Standard and Datacenter editions of Windows 
Server. In some earlier versions of the Windows Server operating system, you gained access to 
failover clustering only if you used the Enterprise edition. Windows Server supports up to 64 
nodes in a failover cluster. 


Generally, all servers in a cluster should run either a similar hardware configuration or 
should be similarly provisioned virtual machines. You should also use the same edition and 
installation option. For example, you should aim to have cluster nodes that run either the full 
GUI or the Server Core version of Windows Server, but you should avoid having cluster nodes 
that have a mix of computers running Server Core and the full GUI version. Avoiding this mix 
ensures that you use a similar update routine. A similar update routine is more difficult to main- 
tain when you use different versions of Windows Server. 


You should use the Datacenter edition of Windows Server when building clusters that host 
Hyper-V virtual machines because the virtual machine licensing scheme available with this edi- 
tion provides the most VM licenses. 


To be fully supported by Microsoft, cluster hardware should meet the Certified for Win- 
dows Server logo requirement. An easy way of accomplishing this is to purchase and deploy 
Azure Stack HCl, a prebuilt hyper-converged Windows Server installation available from select 
vendors. Even though it is called Azure Stack HCI and sounds as though it is far more of a 
cloud-based solution, it's primarily just an optimized Windows Server deployment on a certi- 
fied configuration with all the relevant clustering and “Software-Defined Datacenter” features 
lit up. 
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NEED MORE REVIEW? FAILOVER CLUSTERING 


You can learn more about Windows Server failover clusters at https://docs.microsoft.com/ 
en-us/windows-server/failover-clustering/failover-clustering-overview. 


Create a Windows failover cluster 

Windows Server failover clusters have the following prerequisites: 
m Allcluster nodes should be running the same version and edition of Windows Server. 
m You can add clustered storage during or after cluster creation. 


m All servers in the cluster that are located in the same site should be members of the 
same Active Directory (AD) domain. If configuring a stretch cluster, nodes must be 
members of the same forest. 


m The account used to create the cluster must be a domain user who has local administra- 
tor rights on all servers that will function as cluster nodes. 


m The account used to create the cluster requires the Create Computer Objects permis- 
sion in the organizational unit (OU) or container that will host the cluster-related Active 
Directory objects. 


Recommended practice is to place the computer accounts for cluster nodes in the same OU 
and to use separate OUs for each cluster. Some organizations create child OUs for each sepa- 
rate cluster in a specially created parent Cluster OU. 


You install failover clustering by installing the Failover Clustering feature, performing initial 
cluster configuration, running the cluster validation process, and then performing cluster cre- 
ation. You can use Windows Admin Center, PowerShell, or the Server Manager console to per- 
form these tasks. Once the cluster is deployed, you can manage your clusters using the Failover 
Clustering Remote Server Administration Tools (RSAT), PowerShell, or Windows Admin Center. 


You can install the Failover Clustering feature and its associated PowerShell cmdlets on a 
node using the following PowerShell command: 


Install-WindowsFeature -Name Failover-Clustering -IncludeManagementTools 


Validating cluster configuration 


Cluster validation performs a check of a cluster’s current or proposed configuration and allows 
you to determine whether you have the necessary pieces in place to create a cluster prior to 
attempting to perform this task. Although you can skip validation, recommended practice is to 
go through the process. This is because even though you may have created numerous clusters 
in the past it doesn’t mean that the next time you go to create a cluster you accidentally over- 
look some small but critical detail. 


The period prior to cluster deployment is not the only time that you can perform cluster 
validation. You should rerun cluster validation whenever you change or update a significant 
component of the cluster. This includes adding nodes, modifying storage hardware, updating 


Skill 2.1: Implement a Windows Server failover cluster 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


89 


network adapters, updating firmware or drivers for network adapters, and updating multipath- 
ing software. Cluster validation performs tests in six categories: 


= Inventory Inventory tests determine if the hardware, software, networking, and stor- 
age configuration support the deployment of a cluster. 


= Network A detailed set of tests to validate cluster network settings. 

m Storage A detailed set of tests to analyze shared cluster storage. 

m Storage Spaces Direct (S2D) A detailed set of tests to analyze S2D configuration. 
m System Configuration A set of tests on the current system configuration. 


= Cluster Configuration This category of test only executes on deployed clusters 
to verify that best practices are being followed (for example, using multiple network 
adapters connected to different networks). 


You can perform cluster validation from the Failover Cluster Management Tools that are 
part of the Remote Server Administration Tools, using Windows Admin Center to connect to an 
existing cluster, or by running the Test-Cluster PowerShell cmdlet. 


NEED MORE REVIEW? VALIDATE CLUSTERS 


You can learn more about validating Windows Server failover clusters at https:// 
techcommunity.microsoft.com/t5/failover-clustering/validating-a-cluster-with-zero- 
downtime/ba-p/371685. 


Prestage cluster computer objects 


During the cluster creation process, a computer object is created in Active Directory Domain 
Services (AD DS) that matches the cluster name. This AD DS object is called the cluster name 
object. As mentioned earlier in the chapter, the domain user account used to create the cluster 
must have the Create Computer Objects permission in order to create this object. It's possible 
to have an appropriately permissioned account pre-create a cluster name object. When this is 
done, the account used to then create the cluster using the constituent nodes does not require 
the Create Computer Objects permission. 


Workgroup clusters 


Workgroup clusters are a special type of cluster where cluster nodes are not members of an 
Active Directory domain. Workgroup clusters are also known as Active Directory detached 
clusters. The following workloads are supported for workgroup clusters: 


m SQLServer When deploying SQL Server on a workgroup cluster, you should use SQL 
Server Authentication for databases and SQL Server Always On Availability Groups. 


m FileServer A supported but not recommended configuration as Kerberos will not be 
available as an authentication protocol for SMB traffic. 


= Hyper-V A supported but not recommended configuration. Hyper-V live migration is 
not supported, though it is possible to perform quick migration. 
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When creating a workgroup cluster, you first need to create a special account on all nodes 
that will participate in the cluster that has the following properties: 


m The special account must have the same username and password on all cluster nodes. 


m The special account must be added to the local Administrators group on each cluster 
node. 


m The primary DNS suffix on each cluster node must be configured with the same value. 


m When creating the cluster, ensure that the AdministrativeAccessPoint parameter when 
using the New-Cluster cmdlet is set to DNS. Ensure that the cluster name is present in the 
appropriate DNS zone, which depends on the primary DNS suffix, when running this 
command. 


m You will need to run the following PowerShell command on each node to configure the 
LocalAccountTokenFilterPolicy registry setting to 1: 


new-itemproperty -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ 
System -Name LocalAccountTokenFilterPolicy -Value 1 


To create a workgroup cluster, use the New-Cluster cmdlet with the name parameter listing 
the cluster name, the node parameters listing the nodes that you wish to join to the cluster 
where the nodes have been configured according to the prerequisites, and the Administrative- 
AccessPoint parameter configured for DNS. For example, to create a new workgroup cluster 
named workgrpclst with member nodes node! and node2, run the following command on one 
of the nodes: 


New-Cluster -name workgrpclst -node nodel,node2 -AdministrativeAccessPoint DNS 


Stretch cluster across datacenter or Azure regions 


Failover clusters can span multiple sites. From the perspective of a hybrid environment, site 
spanning can include spanning two separate on-premises locations, an on-premises location 
and an Azure datacenter, or having cluster nodes hosted in different Azure regions. When 
configuring a cluster that spans two sites, you should consider the following: 


m Ensure that there are an equal number of nodes in each site. 
m Allow each node to have a vote. 


m Enable dynamic quorum. Dynamic quorum allows quorum to be recalculated when 
individual nodes leave the cluster one at a time. Dynamic quorum is enabled by default 
on Windows Server failover clusters. 


m Usea file share witness. You should host the file share witness on a third site that has 
separate connectivity to the two sites that host the cluster nodes. When configured in 
this manner, the cluster retains quorum if one of the sites is lost. An alternative to a file 
share witness is an Azure Cloud Witness. 
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If you only have two sites and are unable to place a file share witness in an independent 
third site, you can manually edit the cluster configuration to reassign votes so that the cluster 
recalculates quorum. 

Manually reassigning votes is also useful to avoid split-brain scenarios. Split-brain scenarios 
occur when a failure occurs in a multisite cluster and when both sides of the cluster believe they 
have quorum. Split-brain scenarios cause challenges when connectivity is restored and make 
it necessary to restart servers on one side of the multisite cluster to resolve the issue. You can 
manually reassign votes so that one side always retains quorum if intersite connectivity is lost. 
For example, by setting the Melbourne site with two votes and the Sydney site with one vote, 
the Melbourne site always retains quorum if intersite connectivity is lost. 

You can use Storage Replica to enable stretch clusters with shared storage. Stretch clusters 
that use shared storage have the following requirements: 


m Cluster nodes are all members of the same AD DS forest. 


m Firewall rules allow ICMP, SMB (ports 445 and 5445 for SMB direct), and WS-MAN (port 
5985) bidirectional traffic between all nodes that participate in the cluster. 


m They must have two sets of shared storage that support persistent reservation. Each 
storage set must be able to support the creation of two virtual disks. One will be used 
for replicated data and the other for logs. These disks need to have the following 
properties: 


m They must be initialized as GUID Partition Table (GPT) and not Master Boot 
Record (MBR). 


= Data volumes must be of identical size and use the same sector size. 
m Log volumes must be of identical size and use the same sector size. 


m Replicated storage cannot be located on the drive containing the Windows Server 
operating system. 


m Premium SSD must be used for cluster nodes hosted as infrastructure-as-a-service (laaS) 
VMs in Azure. 


m Ensure that there is less than 5-millisecond round-trip latency if synchronous replication 
is being used. If asynchronous replication is being used, this requirement does not need 
to be met. 


m Storage Replica—configured stretch clusters can use Storage Replica technology to repli- 
cate shared cluster storage between locations. 


NEED MORE REVIEW? STRETCH CLUSTER REPLICATION 


You can learn more about stretch cluster replication at https://docs.microsoft.com/en-us/ 
windows-server/storage/storage-replica/stretch-cluster-replication-using-shared-storage. 
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Configure storage for failover clustering 


Storage for Windows Server failover clusters needs to be accessible to each node in the cluster. 
You can use serial-attached SCSI (SAS), iSCSI, Fibre Channel, or Fibre Channel over Ethernet 
(FCoE) to host shared storage for a Windows Server failover cluster. 


You should configure disks used for failover clustering as follows: 
m Volumes should be formatted using NTFS or ReFS. 
m Use Master Boot Record (MBR) or GUID Partition Table (GPT). 


m Avoid allowing different clusters access to the same storage device. This can be accom- 
plished through LUN masking or zoning. 


m Any multipath solution must be based on Microsoft Multipath I/O (MPIO). 


Cluster Shared Volumes (CSV) is a technology that allows multiple cluster nodes to have 
concurrent access to a single physical or virtual storage device, also termed a logical unit 
number (LUN). CSV allows you to have virtual machines on the same shared storage run on dif- 
ferent cluster nodes. CSV also has the following benefits: 


m Support for scale-out file servers 

= Support for BitLocker volume encryption 
m SMB 3.0 and higher support 

m Integration with Storage Spaces 

= Online volume scan and repair 


You can enable CSV only after you create a failover cluster and you have provided the 
shared storage available to each node that will be available to the CSV. 


NEED MORE REVIEW? CLUSTER SHARED VOLUMES 


You can learn more about Cluster Shared Volumes at https://docs.microsoft.com/en-us/ 


windows-server/failover-clustering/failover-cluster-csvs. 


Modify quorum options 


A cluster quorum mode determines how many nodes and witnesses must fail before the cluster 
is in a failed state. Nodes are servers that participate in the cluster. Witnesses can be stored 

on shared storage, on file shares, in Windows Server, and even on a USB drive attached to a 
network switch; shared storage is the preferred method. 


For unknown reasons, some people use Distributed File System (DFS) shares as file share 
witnesses when setting up their failover clusters. To stop this type of shenanigan from occur- 
ring in the future, Microsoft has configured Windows Server failover clustering so that it explic- 
itly blocks the use of DFS namespaces when configuring a file share witness. 

Microsoft recommends that you configure a cluster so that an odd number of total votes be 


spread across member nodes and the witness. This limits the chance of a tie during a quorum 
vote. 


Skill 2.1: Implement a Windows Server failover cluster 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


93 


94 


There are four cluster quorum modes: 


= Node Majority This cluster quorum mode is recommended for clusters that have an 
odd number of nodes. When this quorum type is set, the cluster retains quorum when 
the number of available nodes exceeds the number of failed nodes. For example, if a 
cluster has five nodes and three are available, quorum is retained. 


= Node and Disk Majority This cluster quorum mode is recommended when the clus- 
ter has an even number of nodes. A disk witness hosted on a shared storage disk, such 
as iSCSI or Fibre Channel, that is accessible to cluster nodes has a vote when determining 
quorum, as do the quorum nodes. The cluster retains quorum as long as the majority of 
voting entities remain online. For example, if you have a four-node cluster and a witness 
disk, a combination of three of those entities needs to remain online for the cluster to 
retain quorum. The cluster retains quorum if three nodes are online or if two nodes and 
the witness disk are online. 


= Node and File Share Majority This configuration is similar to the Node and Disk 
Majority configuration, but the quorum is stored on a network share rather than ona 
shared storage disk. It is suitable for similar configurations to Node and Disk Majority. 
This method is not as reliable as Node and Disk Majority because file shares generally 
do not have the redundancy features of shared storage. 


= No Majority: Disk Only This model can be used with clusters that have an odd num- 
ber of nodes. It is only recommended for testing environments because the disk hosting 
the witness functions as a single point of failure. When you choose this model, as long as 
the disk hosting the witness and one node remain available, the cluster retains quo- 
rum. If the disk hosting the witness fails, quorum is lost, even if all the other nodes are 
available. 


When you create a cluster, the cluster quorum is automatically configured for you. You 
might want to alter the quorum mode, however, if you change the number of nodes in your 
cluster. For example, you might want to alter the quorum mode if you change from a four- 
node to a five-node cluster. When you change the cluster quorum configuration, the Failover 
Cluster Manager provides you with a recommended configuration, but you can choose to 
override that configuration if you want. 


You can also perform advanced quorum configuration to specify what nodes can partici- 
pate in the quorum vote, which you can set on the Select Voting Configuration page of the 
Configure Cluster Quorum Wizard. When you do this, only the selected nodes’ votes are used 
to calculate quorum. Also, it's possible that fewer nodes would need to fail to cause a cluster 
to fail than would otherwise be the case if all nodes participated in the quorum vote. This can 
be useful when configuring how multisite clusters calculate quorum when the connection 
between sites fails. 


NEED MORE REVIEW? CLUSTER QUORUM 


You can learn more about cluster quorum at https://docs.microsoft.com/en-us/ 
windows-server/failover-clustering/manage-cluster-quorum. 
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Configure network adapters for failover clustering 


While you can create failover clusters with nodes that have a single network adapter, best prac- 
tice is to have separate networks and network adapters for the following: 


m A connection for cluster nodes to shared storage 
= A private network for internal cluster communication 
= A public network that clients use to access services hosted on the cluster 


In scenarios where high availability is critical, you might have multiple redundant net- 
works connected through several separate switches. If you have a cluster where everything is 
connected through one piece of network hardware, you can almost guarantee that piece of 
network hardware is the first thing that fails. 


Failover clustering only supports IPv4- and IPv6-based protocols. You can use either IPv4 
or IPv6 addresses that are dynamically or statically assigned, but you should not use a mix 
of dynamically and statically assigned IP addresses for nodes that are members of the same 
cluster. If you use a mixture of dynamically and statically assigned IP addresses, the Validate A 
Configuration Wizard generates an error. 


Even if the Cluster Validation Wizard only gives you warnings when you perform the test, 
you cannot create a failover cluster unless each node is configured with a default gateway. The 
default gateway doesn't have to be a host that exists, but if you're having trouble in your virtual 
machine lab with creating a failover cluster, go back and check whether you've configured a 
default gateway for each node. 


Ensure that TCP and UDP port 3343 is open on firewalls between cluster nodes. This port is 
used for cluster communication, and if communication on this port is disrupted, a node may 
appear to be in a failed state. Although it’s possible to have single adapters and have cluster 
and client communication occur over the same adapters and networks, production deploy- 
ments should use separate adapters and networks for cluster communication. 


If there are multiple paths to physical storage on a server, you will need to enable multipath 
I/O (MPIO). Enabling MPIO aggregates multiple paths to a physical disk into a single logical 
path for data access. Enabling MPIO improves resiliency to failure. You should enable MPIO on 
all nodes that will participate in the cluster. You can enable MPIO with the following PowerShell 
command: 


Install-WindowsFeature -ComputerName Nodel -Name MultiPath-1I0 


NEED MORE REVIEW? FAILOVER CLUSTER NETWORKING BASICS 


You can learn more about failover cluster networking basics at https:// 
techcommunity.microsoft.com/t5/itops-talk-blog/failover-clustering-networking-basics- 
and-fundamentals/ba-p/1472460. 
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Configure cluster workload options 


Cluster workload options include workload startup priority, preferred owners, and failover 
settings. Configuring startup priority determines when the workload becomes available after a 
cluster disruption. You can choose between High, Medium, Low, and No Auto Start. 


Workload failover settings allow you to configure the following: 
= Maximum failures in a period that will trigger failover 
m Period over which these failures are measured 


Cluster preference settings allow you to configure the preferred owner for a specific cluster 
role, and you can also configure different preferred owners for different cluster roles. Where 
possible, the role is hosted on the preferred owner. You can configure a list of preferred own- 
ers so that if the most preferred owner isn’t available, the next preferred owner hosts the role. 
Workloads will start on the preferred owner at the top of the list and will fail over to other 
nodes in list order unless specific failback settings are configured. For example, if you have con- 
figured the list as Node 4, Node 3, Node 2, and Node 1 if the workload is currently hosted on 
Node 3 and this node fails, the workload will fail over to Node 2 if it is available and then Node 
1 before attempting to fail over to Node 4. You configure a role-preferred owner in the role’s 
Properties dialog box. You can stop a workload from failing over or being moved to a specific 
node by ensuring that the node is not present on the workload’s list of possible owners. You 
can configure this list using the Set-ClusterOwnerNode PowerShell cmdlet. 


You configure whether the clustered role fails back to the preferred owner on the Failover 
tab of the cluster role’s Properties dialog box. When configuring failback, you need to: 


m Determine whether you want to prevent failback 


m Determine whether you want to have failback occur automatically as soon as the pre- 
ferred owner is in a healthy state 


= Configure failback to occur within a certain number of hours of the preferred owner 
returning to a healthy state 


Node quarantine settings allow you to configure a node so that it is unable to rejoin the 
cluster if the node fails a certain number of times within a certain period. Configuring node 
quarantine blocks workloads from being placed back on a quarantined node until the reason 
for the repeated failure can be dealt with by a server administrator. 


NEED MORE REVIEW? PREFERRED OWNERS 


You can learn more about cluster preferred owners at https://techcommunity.microsoft.com/ 
t5/failover-clustering/preferred-owners-in-a-cluster/ba-p/371290. 


File Server failover clusters 


The traditional File Server cluster role allows one node in the cluster to serve files from a highly 
available file share that is hosted on cluster storage. In the event that the node that services 
client requests fails, the role fails over to another node and clients accessing files will use the 
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new node to perform those operations. Other than increasing resiliency of the workload, there 
is no performance benefit to increasing the number of nodes for a general-purpose file server 
workload. 


Scale-Out File Servers 


A Scale-Out File Server (SoFS) is a new high-availability technology that allows you to share a 
single folder from multiple nodes of the same cluster. You can use SoFS to deploy file shares 
that are continuously available for file-based server application storage. This storage is suitable 
for hosting Hyper-V virtual machine files or Microsoft SQL Server databases with a level of 
reliability, availability, manageability, and performance that equates to what is possible with a 
storage area network. 

Benefits of an SoFS deployment include: 


= Active-Active file share topology SoFS allows the same folder to be accessed from 
multiple nodes of the same cluster. An SoFS file share remains online should one or 
more cluster nodes fail or be taken down for planned maintenance. 
= Scalable bandwidth You can respond to a requirement for increased bandwidth by 
adding nodes. 
= Automatic rebalancing of clients SMB client connects are tracked on a per-file 
share basis, with clients being redirected to the cluster node that has the best access to 
the storage device used by the file share. 
= CHKDSK with zero downtime The Cluster Shared Volume File System, used with 
SoFS, allows CHKDSK operations to occur without affecting applications that have open 
handles on the file system. 
You should consider SoFS file shares for the following scenarios: 
m Storing Hyper-V configuration and live virtual disks 
m Storing live SQL Server database files 
m Storing shared IIS configuration data 
SoFS has the following requirements: 


m The storage configuration must be explicitly supported by failover clustering. This 
means that you must be able to successfully run the Cluster Validation Wizard before 
adding an SoFS. 

m SOFS requires Cluster Shared Volumes. 

Windows Server 2019 and Windows Server 2022 support an SoFS role called the Infrastruc- 
ture File Server. An infrastructure SoFS uses a single namespace share for the Cluster Shared 
Volume drive. The benefit of the Infrastructure File Server role is that it allows the Hyper-V 
host to communicate using guaranteed continuous availability to the Infrastructure SoFS SMB 


server. A failover cluster can only support a single infrastructure SoFS instance. To create an 
infrastructure SoFS, run the following PowerShell command: 


Add-ClusterScaleOutFileServerRole -Cluster ClusterName -Infrastructure -Name 
InfrastructureSoFSName 
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Virtual machine failover clustering 


One of the most common uses for failover clusters is hosting virtual machines. By deploy- 

ing a workload such as SQL Server or Exchange on a highly available virtual machine, you can 
achieve high availability without the need for the application to be aware that it is now highly 
available. The virtual machine functions normally, provides services to clients on the network, 
and can switch between cluster nodes as necessary in the event that the individual cluster node 
hosting it requires maintenance or experiences some sort of failure. Building a Hyper-V failover 
cluster first involves creating a failover cluster and then adding the Hyper-V role to each node 
of the cluster. 


You should use Cluster Shared Volumes to store virtual machines on a Hyper-V cluster 
because CSV allows multiple cluster nodes to manage a single shared storage device. This 
allows you to put multiple virtual machines on the same shared storage device but have those 
virtual machines hosted by different nodes in the failover cluster. Cluster Shared Volumes are 
mapped under the C:\ClusterStorage folder on cluster nodes. 


When creating a new virtual machine on a failover cluster, first select which cluster node 
hosts the virtual machine. When creating a highly available virtual machine, specify the Clus- 
ter Shared Volume path as the location to store the virtual machine. If you have an existing 
machine that you want to make highly available, you can move the virtual machine to this path. 
As an alternative, you have the option to specify an SMB 3.0 file share as the storage location 
for the highly available virtual machine. Whether to select a Cluster Shared Volume or an SMB 
3.0 file share depends on your organization's storage configuration. 


After the virtual machine is created, you can control it by using the Failover Cluster Manager 
console. The Move option in the Actions pane allows you to select the cluster node to which 
you want to move the virtual machine. 


In production environments, you should ensure that each Hyper-V host has an identical 
hardware configuration. However, in development environments, this is not always possible. If 
different processor types are used—for example, an Intel processor on one node and an AMD 
processor on another—you might have to perform a quick migration. Quick migration allows 
migration between nodes but does cause a disruption in client connectivity. You can allow 
migration between Hyper-V nodes with different processor types or versions by enabling the 
processor compatibility setting on the virtual machine. 


VM Monitoring is a failover cluster feature that allows you to monitor the health state of 
applications that are hosted on a guest virtual machine. This monitoring allows the cluster to 
take remediation actions in the event that the application or service fails. You can configure 
VM Monitoring for any Windows service or event log event that occurs on a guest VM. To use 
VM Monitoring, you need to enable the Virtual Machine Monitoring rule on the guest VM. 
You can configure monitoring on a VM using the Failover Cluster Manager or the Add- 
ClusterVMMonitoredItem cmdlet. You can configure whether the failure of an application or 
service triggers a guest VM restart on the current node or the guest VM to fail over to another 
node by configuring the failover properties of the virtual machine. 
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Configure cluster sets 


Cluster sets are new features available in Windows Server 2019 and later, and they allow clus- 
ters to be loosely federated, allowing you to migrate workloads between clusters with minimal 
downtime. When you implement cluster sets, you can combine smaller clusters into larger 
virtual clusters. These virtual clusters support virtual machine fluidity and a unified storage 
namespace, meaning that virtual machines can be moved between clusters in a cluster set as 
easily as they are moved between nodes in a traditional failover cluster. While virtual machines 
can be live-migrated between clusters, Windows Server cluster sets do not allow virtual 
machines to be configured to automatically fail over between clusters in a cluster set. 


Only clusters running at the Windows Server cluster functional level 10 or higher can partici- 
pate in cluster sets. This means that clusters can have nodes running the Windows Server 2019 
and Windows Server 2022 operating systems but that you cannot join clusters running Win- 
dows Server 2016 or earlier Windows Server operating systems to a cluster set. All clusters in a 
cluster set must be members of the same Active Directory forest. If you are going to perform 
live migration of virtual machines between clusters in a cluster set, you must ensure that the 
nodes share the same processor architecture. 


Cluster sets improve the failover cluster life cycle. Rather than adding and removing nodes 
from a single cluster when the node hardware is to be retired, you can add a new cluster to 
the cluster set, migrate workloads across from the original cluster to the new cluster, and then 
retire that original cluster. Cluster sets are currently supported by Microsoft for up to 64 cluster 
nodes, which is the same number of nodes supported in an individual failover cluster. That 
being said, there is no specific limit to the number of nodes that may exist within a cluster set, 
so going beyond 64 nodes in a cluster set is possible should you want to try it. 


Cluster sets consist of a management cluster and member clusters. The management cluster 
is the cluster set that holds the management role for the cluster set and also hosts the unified 
storage namespace for the cluster set Scale-Out File Server. The management cluster does not 
host workloads, such as virtual machines, and its role is to manage the relationship between 
other clusters in the cluster set and to host the storage namespace. The new role that the man- 
agement cluster hosts is termed the Cluster Set Master (CS-Master). Member clusters hold the 
Cluster Set Worker, or CS-Worker, role. The namespace for the cluster set is hosted by a Scale- 
Out File Server cluster role running on the management cluster. When creating the Scale-Out 
File Server role for the management cluster, you use the Add-ClusterScaleoutFileServerRole 
PowerShell cmdlet with the Infrastructure parameter. 

Cluster sets support the configuration of fault domains and availability sets. Fault domains 
are collections of hardware and software where a single fault, such as a power outage, causes a 
set of cluster nodes to fail. If you are using stretch clusters to span datacenters, each datacenter 
could be configured as a separate fault domain. Availability sets allow you to configure work- 
load redundancy across fault domains. 
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NEED MORE REVIEW? CLUSTER SETS 


You can learn more about cluster sets at https://docs.microsoft.com/en-us/azure-stack/hci/ 
deploy/cluster-set. 


Create an Azure witness 


A Cloud Witness has the Cluster Witness role hosted in Azure rather than at a third site. A Cloud 
Witness is suitable for multisite clusters. To configure a Cloud Witness, create a storage account 
in Azure, copy the storage access keys, note the endpoint URL links, and then use these links 
with the Configure Cluster Quorum Settings Wizard and specify a Cloud Witness. 


A Cloud Witness should be blob storage in a general-purpose standard performance 
storage account. The Cloud Witness should use storage access keys for authentication rather 
than shared access signatures or Azure AD system—assigned managed identity. You should 
configure the Cloud Witness storage account to use locally redundant storage if the cluster 
is on-premises or hosted in Azure using a single availability zone. If the cluster uses multiple 
availability zones, you should choose zone-redundant storage. 


NEED MORE REVIEW? CLOUD WITNESS 


You can learn more about Cloud Witness at https://docs.microsoft.com/en-us/windows-server/ 
failover-clustering/deploy-cloud-witness. 


Configure a floating IP address for the cluster 


Windows Server clusters allow you to define an IP address as a cluster resource and have the IP 
address fail over between cluster nodes. To do this, you need support for the following: 


= Support for dynamic registration and deregistration of IP addresses (DHCP) 


m Ability to update network address translation caches of hosts attached to the subnet on 
which the IP address resides 


DHCP and ARP are likely to automatically handle these elements of floating IP address con- 
figuration as this technology has been available since the release of Windows NT 4. 


NEED MORE REVIEW? CLUSTER FLOATING IP ADDRESS 


You can learn more about cluster floating IP address at https://docs.microsoft.com/en-us/ 
troubleshoot/windows-server/high-availability/cluster-information-ip-address-failover. 


Implement load balancing for the failover cluster 


There are two primary methods for load-balancing cluster workloads. The first is used to 

ensure that a Hyper-V cluster that hosts VMs balances VM workloads equitably across the 
available nodes. This ensures that you don’t end up with a situation where one node has a 
consistent 95 percent processor utilization due to VM workloads while other nodes in the 
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cluster have relatively idle processors. In addition to VM load balancing, some workloads, such 
as Scale-Out File Servers, automatically balance incoming client requests across cluster nodes. 
Not all workloads support automatic balancing of client requests and the second type of load 
balancing, called network load balancing, balances incoming client network traffic across a 
number of hosts. 


VM load balancing 


VM load balancing is a feature that distributes VM workloads equitably across cluster nodes. 
The feature automatically identifies cluster nodes that are over-committed in terms of memory 
pressure and CPU utilization and automatically live migrates VMs away from these nodes 

to those that are under less resource pressure. VM load balancing takes into account fault 
domains, preferred owners, and nodes that are configured not to host specific VM workloads. 
VM load balancing is enabled by default on Windows Server 2016 and later Hyper-V clusters. 


You configure VM load balancing in the Windows Admin Center by connecting to a Hyper- 
V failover cluster and, under Settings, selecting Virtual Machine Load Balancing. Here you can 
disable VM load balancing and configure load balancing aggressiveness. The aggressiveness 
settings work in the following manner depending on load (which can be memory pressure or 
CPU utilization over the last 300 seconds): 


m Low VMsare migrated if a Hyper-V cluster node is more than 80 percent loaded. 
= Medium VMs are migrated if a Hyper-V cluster node is more than 70 percent loaded. 


= High VMs are migrated if a Hyper-V cluster node experiences load exceeding 
5 percent of the average load. 


You can determine a cluster’s auto balancing settings using the (Get-Cluster) . AutoBal- 
ancerMode and (Get-Cluster) .AutoBalancerLevel commands. 


The values listed in Table 2-1 determine automatic load balancer thresholds. 


TABLE 2-1 Auto VM load balancer aggressiveness 


AutoBalancerLevel Aggressiveness Action 


1 (default) Low Move workloads when the node reaches 80 percent 
memory or processor utilization. 


2 Medium Move workloads when the node reaches 70 percent 
memory or processor utilization. 


3 High Move workloads when the node reaches 60 percent 
memory or processor utilization. 


The values listed in Table 2-2 determine automatic load balancer mode. 
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TABLE 2-2 Auto VM load balancer mode 


AutoBalancerMode Aggressiveness 

0 Disables VM load balancing 

1 Load-balances each time a new node joins the Hyper-V cluster 

2 (default) Load-balances each time a new node joins the Hyper-V cluster and every 
30 minutes 


NEED MORE REVIEW? VM LOAD BALANCING 


You can learn more about VM load balancing at https://docs.microsoft.com/en-us/azure-stack/ 
hci/manage/vm-load-balancing. 


Network load balancing 


Network load balancing (NLB) distributes traffic across multiple hosts in a balanced manner. 
NLB directs new traffic to cluster nodes under the least load. NLB works as a high-availability 
solution because it detects node failures and automatically redistributes traffic to available 
nodes. NLB is also scalable, which means that you can start with a two-node NLB cluster and 
keep adding nodes until you reach a maximum of 32 nodes. A node is a computer running the 
Windows Server operating system that participates in the NLB cluster. A computer can be a 
member of only one Windows NLB cluster. 


NLB functions through the creation of a virtual IP and a virtual network adapter with an 
associated Media Access Control (MAC) address. Traffic to this address is distributed to the 
cluster nodes. In the default configuration, traffic is distributed to the least-utilized node. You 
can also configure NLB so that specific nodes are preferred and process more traffic than other 
nodes in the cluster. 


NLB is a high-availability solution that is suitable for stateless applications. Imagine that you 
have a two-tier web application where you have four servers running IIS as the web tier and 
two servers running SQL Server as the database tier. In this scenario, you add Web Server 1, 
Web Server 2, Web Server 3, and Web Server 4 to an NLB cluster as web servers host stateless 
applications. To make the database servers highly available, you would configure a failover 
cluster or Always On Availability Group, but you wouldn't configure NLB because SQL Server is 
a stateful application. 


NLB is failure aware as long as the failure occurs on the node. For example, if you have a 
two-node NLB cluster that you use with a web application and the network card fails on one 
of the nodes, NLB is aware of the failure and stops directing traffic to the node. If instead of 
a network card failure the web application fails but everything else remains operational, NLB 
remains unaware of the failure and continues to direct requests to the node that hosts the 
failed web application. In a real-world environment, you'd set up more sophisticated moni- 
toring that allows you to detect the failure of the application, not just the failure of the node. 
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Some hardware-based NLB solutions are sophisticated enough to detect application failures 
rather than just host failures. 


NETWORK LOAD BALANCING PREREQUISITES 

In terms of setup, NLB is straightforward and only requires you to install the feature. Although 
you can install the feature on a node, you must ensure that it meets some prerequisites before 
you can add it to a cluster. Before you add a host to an NLB cluster, you must ensure the 
following: 


m All nodes in the NLB cluster must reside on the same subnet. While you can configure 
a subnet to span multiple geographic locations, the cluster is unlikely to converge suc- 
cessfully if the latency between nodes exceeds 250 milliseconds. 


m All network adapters must either be configured as unicast or multicast. You can't use 
Windows NLB to create an NLB cluster that has a mixture of unicast and multicast 
addresses assigned to network adapters. 


m Ifyou choose to use the unicast cluster configuration mode, the network adapter needs 
to support changing its MAC address. 


m The network adapter must be configured with a static IP address. 


There is no restriction on the number of network adapters in each host. You can have one 
host with three network adapters in a team and another host with five separate adapters 
participate in the same NLB cluster. You can run nodes on different editions of Windows Server, 
although considering that the only difference between the Standard and the Datacenter edi- 
tions is virtual machine licensing, you are unlikely to be running NLB on the Datacenter edition. 
Although it is possible to have working NLB clusters if you are running different versions of 
Windows Server, you should upgrade all nodes as soon as possible to the same operating 
system. You should also attempt to ensure that nodes have similar hardware capacity or are 
running on similarly provisioned virtual machines so that a client doesn’t get a radically differ- 
ent experience when connecting to different nodes. 


NLB CLUSTER-OPERATION MODES 

When configuring an NLB cluster, you can choose between one of three separate cluster- 
operation modes. The mode that you select depends on the configuration of the cluster nodes 
and the type of network switch to which the cluster nodes are connected. You can configure 
the cluster-operation mode when creating the cluster. The operation modes are as follows: 


m Unicast Mode |f you configure an NLB cluster to use the unicast cluster-operation 
mode, all nodes in the cluster will use the same unicast MAC address. Outbound traffic 
from node members uses a modified MAC address that is determined by the cluster 
host's priority settings. The drawback to using unicast mode with nodes that have a 
single adapter is that you can only perform management tasks from computers located 
on the same TCP/IP subnet as the cluster nodes. This restriction doesn't apply, however, 
when the cluster nodes have multiple network adapters that are not NIC team mem- 
bers. When you use unicast with multiple network adapters, one adapter is dedicated to 
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cluster communication, and you can connect to any other adapters to perform manage- 
ment tasks. You can improve cluster operation by placing the adapters that you use for 
cluster communication and the adapters you use for management tasks on separate 
VLANs. 


= Multicast Mode This mode is suitable when each node has only one network adapter. 
When you configure multicast mode, each cluster host keeps its original network 
adapter’s MAC address, but it is also assigned a multicast MAC address. All nodes in the 
cluster use the same multicast MAC address. You can only use multicast mode if your 
organization's switches and routers support it. Unless you've got bargain-basement net- 
work equipment, it’s likely that your current network hardware supports multicast mode 
for NLB. 


= IGMP Multicast Internet Group Management Protocol (IGMP) multicast mode is 
an advanced form of multicast mode that reduces the chances of the network switch 
being flooded with traffic. It works by only forwarding traffic through the ports that are 
connected to hosts that participate in the NLB cluster, but it also requires a switch that 
supports this functionality. 


MANAGING NLB CLUSTER HOSTS 

After the NLB cluster is set up and functioning, most maintenance operations, such as applying 
software updates, are performed on cluster nodes. When performing maintenance tasks, you 
should perform the task on one node at a time so that the application that the cluster pro- 
vides to users continues to remain available. Prior to performing maintenance tasks on a node, 
you should first stop incoming connections and allow existing connections to be completed 
naturally. When there are no connections to the node, you can then stop the node, apply the 
updates, and restart the node. You have the following options for managing cluster nodes: 


= Drainstop Blocks new connections to the cluster node, but doesn’t terminate existing 
connections. Use this prior to planned maintenance to gracefully evacuate the cluster of 
connections. 


m Stop Stops the cluster node. All connections to the cluster node from clients are 
stopped. Use Stop after you use Drainstop so that you can then perform maintenance 
tasks, such as applying updates. 


m Start Starts a cluster node that is in a stopped state. 


m Suspend Pauses the cluster node until you issue the Resume command. Using Sus- 
pend does not shut down the cluster service, but it does terminate current connections 
as well as block new connections. 


m Resume Resumes a suspended cluster node. 


PORT RULES 
An NLB port rule allows you to configure how the NLB cluster responds to incoming traffic on a 
specific port and protocol such as TCP port 80 (HTTP). Each host in an NLB cluster must use the 
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same port rules. Although it is possible to configure port rules on a per-node basis, it's safer to 
configure them at the cluster level to ensure that they are consistent. The default port rule redi- 
rects traffic on any TCP or UDP port to each node in the cluster in a balanced way. If you want 
to create specific rules, delete the default rule. 


FILTERING AND AFFINITY 

When you create a port rule, you also choose a filtering mode, which might require you to 
configure affinity. Filtering allows you to determine whether incoming traffic is handled by one, 
some, or all nodes in the NLB cluster. If you choose to allow multiple nodes to accept incom- 
ing traffic, you need to configure affinity. The affinity setting determines whether one node 
handles all subsequent requests from the same client or if subsequent requests from the same 
client are redistributed across other nodes. Affinity is often important with web applications 
where a consistent session must exist between the client and one web server after the session is 
established. You can configure the following filtering modes: 


= Multiple Host This is the default filtering mode. This mode allows traffic to be 
directed to any node in the NLB cluster. You also need to specify one of the following 
affinity settings: 

m Single When you configure this option, the incoming request is distributed to one 
of the cluster nodes. All subsequent traffic from the originating host is directed to that 
same node for the duration of the session. This is the default multiple host affinity. Don’t 
confuse Multiple Host, Single Affinity with Single Host filtering. 


= None Incoming traffic is distributed to the cluster node under the least load even if 
there is an existing session. This means that multiple nodes may handle traffic from a 
single session. 

= Network This option directs clients to cluster nodes based on the requesting client's 
network address. 

m Single Host A single node handles all traffic sent to the cluster on this port rule. In this 
case, no load balancing occurs. For example, if you have a four-node cluster, but you 
want node 3 to be the only one that handles traffic on TCP port 25, you would configure 
a port rule with the filtering mode set to Single Host. 

m Disable The Port Range When you configure this setting, the NLB cluster drops traf- 
fic sent to the cluster that matches the port rule. 


() ) EXAM TIP 


Remember the type of storage account and authentication needed for a cluster’s cloud 
witness. 
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Skill 2.2: Manage failover clustering 


This objective deals with the management of Windows Server failover clusters in on-premises, 
hybrid, and cloud environments. To master this objective, you'll need to understand how to 
deploy software updates to Windows Server failover clusters, perform rolling cluster upgrades, 
perform workload failovers, and perform cluster operations using Windows Admin Center and 
PowerShell. 


This skill covers how to: 

m Implement Cluster-Aware Updating 

= Recover a failed cluster node 

m Upgrade a node to Windows Server 2022 
m Failover workloads between nodes 


m= Manage failover clusters using Windows Admin Center 


Implement Cluster-Aware Updating 


Cluster-Aware Updating (CAU) is a feature that is included with Windows Server that allows 
you to automate the process of applying software updates to failover clusters. Cluster-Aware 
Updating integrates with Windows Update, Windows Server Update Services (WSUS), and 
Azure Update Software Management. 


CAU uses the following process: 
1. Obtains the update files from the source location. 
Puts the first node into maintenance mode. 
Moves any cluster roles off the node to other nodes in the cluster. 
Installs software updates. 


Restarts the cluster node, if necessary. 


Au PR wn 


Checks for additional updates. If updates are found, it performs steps 4 through 6 until 
all updates are applied. 


N 


Brings the node out of maintenance mode. 
Reacquires clustered roles that were moved to other nodes. 


9. Puts the next node into maintenance mode and repeats the cycle starting at step 3 until 
all nodes have been updated. 

The main benefit of CAU is that it updates a process that previously had to be performed 
manually. You can configure CAU to automatically apply updates to cluster nodes when they 
are approved through WSUS or Configuration Manager, or you can trigger CAU manually as 
needed. Managing CAU through Windows Admin Center requires the configuration of the 
Credential Security Support Provider protocol (CredSSP). 
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CAU has the following requirements: 

m Updating can only occur if the cluster has enough nodes online to retain quorum. 

m Allcluster nodes must be members of the same AD DS domain. 

m The cluster name must be resolvable using DNS. 

m Allcluster nodes should be configured to use the same update source. 

CAU can be triggered remotely by using remote updating mode. When you use remote 
updating mode, the computer managing the updates, called the Update Coordinator, must 


retain connectivity to and be a member of the same AD DS domain as the failover cluster and 
cluster nodes. 


You can configure the CAU options so that the updates are rolled back across the cluster if 
an update fails to install on a node after a specified number of attempts. You can also config- 
ure Advanced Options to create run profiles. A run profile allows you to configure scripts to run 
before and after the update process has occurred and manage specific services hosted on the 
cluster that require special shutdown or startup configurations. 


NEED MORE REVIEW? CLUSTER-AWARE UPDATING 


You can learn more about Cluster-Aware Updating at https://docs.microsoft.com/en-us/ 
windows-server/failover-clustering/cluster-aware-updating-options. 


Recover a failed cluster node 


How you recover from a failed cluster node is dependent on the type of failure. If the node fails 
because a hardware component fails and the replacement is an easy one, you can bring the 
node back online fairly quickly. In the event that there will be more downtime, you should evict 
the node so that the cluster can reconfigure its quorum calculations. When there is a substan- 
tive node failure, you perform the following general steps: 


m Evict the cluster node using the Remove-Clusternode PowerShell cmdlet. 


m Clear the cluster configuration from the node using the Clear-ClusterNode PowerShell 
cmdlet. 

m Perform repair operations on the node. 

m Use the Add-ClusterNode PowerShell cmdlet to add the repaired node or a replacement 
node to the cluster. 


After returning or replacing the failed node, you should check all of the workload settings 
for preferred ownership to verify that the replacement or repaired node can be used as a tar- 
get in the event that a failure occurs on another node. 


A fault domain is a collection of hardware components that share a common point of failure. 
Windows Server allows you to configure fault domains at the site, rack, chassis, and node levels. 


You can use Storage Spaces and Storage Spaces Direct with fault domains to ensure that copies 
of data are kept in separate fault domains. For example, if you defined fault domains at the site 
level, you can configure Storage Spaces so that redundant data resides in separate sites rather 
than residing only on separate cluster nodes. 
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Upgrade a node to Windows Server 2022 


Cluster OS Rolling Upgrade allows you to upgrade a cluster hosting Hyper-V or Scale-Out File 
Server workloads without taking those workloads offline. You can perform a Cluster OS Rolling 
Upgrade from Windows Server 2012 R2 to Windows Server 2016, or you can perform a rolling 
upgrade from Windows Server 2016 to any more recent version of Windows Server. Other 
cluster-hosted workloads, such as SQL Server, are only offline during failover from an original 
cluster node to a new or upgraded cluster node. 


Upgrading a cluster involves either adding new nodes running a new version of Windows 
Server or performing an in-place upgrade of existing nodes to a new version of Windows 
Server. Although clusters can function normally with nodes running different versions of the 
Windows Server operating system, you should minimize the amount of time that the cluster is 
in this transitional state. 


The nodes that you can add to a cluster depend on the cluster functional level. A cluster 
that only has nodes running Windows Server 2012 R2 is running at cluster functional level 8. 
Cluster functional level 8 supports nodes that run both Windows Server 2012 R2 and later. You 
can introduce cluster nodes that run either Windows Server 2012 or 2016 to the cluster as long 
as the cluster is still configured to use cluster functional level 8. Introducing a node running a 
more recent version of Windows Server doesn’t require you to upgrade the cluster functional 
level. Once you have transitioned all nodes through addition, eviction, and upgrade, you can 
then raise the cluster functional level. 


A cluster running at functional level 9 supports nodes running Windows Server 2016 and 
later, a cluster running at functional level 10 supports Windows Server 2019 and later, and a 
cluster running at functional level 11 supports only nodes running Windows Server 2022 and 
later. If you deploy a new cluster, the cluster will be set at the functional level of the operating 
system nodes. For example, a new Windows Server 2022 cluster will default to cluster func- 
tional level 11. 


You should only upgrade the cluster functional level when you are absolutely certain that 
you don't want to roll back the cluster upgrade and that all nodes have been upgraded. You 
can determine which functional level a cluster is running at by running the following Windows 
PowerShell command: 


Get-Cluster | Select ClusterFunctionalLevel 
You can also use the Get-ClusterNodeSupportedVersion cmdlet on a computer running Win- 


dows Server to determine which nodes in the cluster are running at a specific functional level 
and cluster upgrade version. 


You can upgrade the cluster functional level by using the Update-ClusterFunctionalLevel 
cmdlet. Cluster OS Rolling Upgrade has the following conditions: 


m You can only upgrade a Hyper-V cluster if the CPUs support second-level address trans- 
lation (SLAT). 


= When performing the Cluster OS Rolling Upgrade, always use the most recent version of 
Windows Server to add nodes to the cluster. 
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m All cluster management tasks should be performed from the more recent operating 
system node than the previous version node. 


= Cluster OS Rolling Upgrade cannot be used to upgrade VM guest clusters that use a 
shared virtual hard disk as shared storage. VM guest clusters are clusters where each 
node is a virtual machine. AVM guest cluster that uses a shared virtual hard disk for 
shared storage cannot be upgraded, but a VM guest cluster that uses another form of 
shared storage, such as iSCSI, can be upgraded by using a Cluster OS Rolling Upgrade. 


= Before upgrading a node, drain the node of workloads and evict the node from the 
cluster. After you've upgraded the node’s operating system, you can join it to the cluster 
again. 

= Before starting the Cluster OS Rolling Upgrade, ensure that all elements of the cluster 
and its workloads are backed up. 

m You can't lower the cluster functional level after it has been raised. 


m Cluster OS Rolling Upgrade only works when the original cluster is running Windows 
Server 2012 R2 or later. 


NEED MORE REVIEW? CLUSTER OS ROLLING UPGRADE 


You can learn more about Cluster OS Rolling Upgrade at https://docs.microsoft.com/en-us/ 
windows-server/failover-clustering/cluster-operating-system-rolling-upgrade. 


Failover workloads between nodes 


When configured properly, failover between cluster nodes will occur automatically based on 
the settings configured for each workload. You can also perform a planned failover where you 
manually trigger failover using the Failover Cluster Manager RSAT tool, Windows Admin Cen- 
ter, or the following PowerShell cmdlets: 


= Move-ClusterVirtualMachineRole Allows you to move a clustered virtual machine 
to another node 


= Move-ClustersharedVolume Moves a Cluster Shared Volume so that it is owned bya 
different node in the failover cluster 

= Move-ClusterResource Allows you to transfer a clustered resource from one clus- 
tered role to another within a failover cluster 

m Move-ClusterGroup Allows you to move a clustered role to another node ina 
failover cluster 


Manage failover clusters using Windows Admin Center 

To manage failover clusters using Windows Admin Center, you'll need to ensure that the 
failover clustering extension for Windows Admin Center is installed and up to date. To add or 
create a failover cluster using Windows Admin Center, on the All Connections page click Add 
and then select the Server Clusters option. From here you can click Add to add an existing 
cluster or create new to create a new failover cluster. 
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Windows Admin Center allows you to perform the following cluster management tasks: 
m View failover cluster details and manage cluster resources 
m View cluster shared disks and volumes 
m View networks used by the cluster 
m View and manage cluster nodes 
m= Manage cluster roles 
m Perform cluster validation 
m Remove the cluster 
m Start and stop cluster resources 


m Manage software updates for cluster nodes using Cluster-Aware Updating (requires 
CredSSP) 


= View and manage virtual machines hosted on a Hyper-V cluster 


m View and manage virtual switches hosted on a Hyper-V cluster 


NEED MORE REVIEW? MANAGE FAILOVER CLUSTERS WITH WINDOWS ADMIN CENTER 


You can learn more about managing failover clusters with Windows Admin Center 
at https://docs.microsoft.com/windows-server/manage/windows-admin-center/use/ 


manage-failover-clusters. 


EXAM TIP 


Cluster workloads will not fail over to nodes that are not on the list of possible workload 
owners. 


Skill 2.3: Implement and manage Storage Spaces Direct 


This objective deals with deploying and managing Storage Spaces Direct (S2D). To master 
this objective you'll need to understand how to create S2D failover clusters, configure S2D, 
upgrade S2D nodes, and manage S2D networking. 


This skill covers how to: 
m Understand Storage Spaces Direct 
= Create failover cluster using Storage Spaces Direct 
= Configure Storage Spaces Direct 
m Upgrade Storage Spaces Direct node 


= Implement networking for Storage Spaces Direct 
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Understand Storage Spaces Direct 


Storage Spaces Direct allows you to use Windows Server with locally attached storage to cre- 
ate highly available software-defined storage. Storage Spaces Direct (which uses the acronym 
S2D because the SSD abbreviation is already used for solid-state disks) provides a form of 
distributed, software-defined, shared-nothing storage that has similar characteristics to RAID 
in terms of performance and redundancy. S2D allows you to create volumes from a storage 
pool of physical drives that are attached to multiple nodes that participate in a Windows Server 
failover cluster. Storage Spaces Direct functions as a replacement for expensive large-scale 
hardware storage arrays. S2D is only available with the Datacenter edition of Windows Server. 


Storage Spaces Direct has the following properties: 
m You can scale out by adding additional nodes to the cluster. 


m When you add a node to a cluster configured for Storage Spaces Direct, all eligible 
drives on the cluster node will be added to the Storage Spaces Direct pool. 


m You can have between 2 and 16 nodes in a Storage Spaces Direct failover cluster. 


m |trequires each node to have at least two solid-state drives and at least four additional 
drives. 


= A cluster can have more than 400 drives and can support more than 4 petabytes of 
storage. 


m Storage Spaces Direct works with locally attached SATA, SAS, persistent memory, or 
NVMe drives. 


m Cache is automatically built from SSD media. All writes up to 256 KB and all reads up to 
64 KB will be cached. Writes are then de-staged to HDD storage in optimal order. 


m Storage Spaces Direct volumes can be part mirror and part parity. To have a three-way 
mirror with dual parity, it is necessary to have four nodes in the Windows Server failover 
cluster that hosts Storage Spaces Direct. 


m Ifa disk fails, the plug-and-play replacement will automatically be added to the Storage 
Spaces pool when connected to the original cluster node. 


m A Storage Spaces Direct cluster can be configured with rack and chassis awareness as a 
way of further ensuring fault tolerance. 


m Storage Spaces Direct clusters are not supported where nodes span multiple sites. 
m While NTFS is supported for use with S2D clusters, ReFS is recommended. 
S2D supports two deployment options: 


m Hyper-Converged With the Hyper-Converged deployment option, both storage and 
compute resources are deployed on the same cluster. This has the benefit of not requir- 
ing you to configure file server access and permissions and is most commonly used in 
small to medium sized Hyper-V deployments. 


m Converged With the converged (also known as disaggregated) deployment option, 
storage and compute resources are deployed in separate clusters. Often used with 
Hyper-V infrastructure-as-a-service (laaS) deployments, a Scale-Out File Server is 
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deployed on S2D to provide network attached storage over SMB3 file shares. The com- 
pute resources for the laaS virtual machines are located on a separate cluster from the 
S2D cluster. 


S2D mirror-accelerated parity reduces the amount of space used on the underlying stor- 
age. A three-way mirror volume needs three times the underlying storage. For example, if 
you create a volume that is 10 terabytes in size, you need 30 terabytes of underlying storage. 
Mirror-accelerated parity mirrors only the most active 20 percent of data, with the percentage 
of mirrored data configurable depending on your organization's needs. 


S2D in Windows Server 2019 and Windows Server 2022 supports nested resiliency. Nested 
resiliency is a capability designed for two-server S2D clusters that allows storage to remain 
available in the event of multiple hardware failures. When nested resiliency is configured, vol- 
umes can remain online and accessible even if one server goes offline and a drive fails. Nested 
resiliency only works when a cluster has two nodes. Nested resiliency requires a minimum of 
four capacity drives per server node and two cache drives per server node. 


NEED MORE REVIEW? STORAGE SPACES DIRECT 


You can learn more about Storage Spaces Direct at https://docs.microsoft.com/en-us/ 
windows-server/storage/storage-spaces/storage-spaces-direct-overview. 


Create failover cluster using Storage Spaces Direct 
Deploying an S2D cluster is essentially the same as deploying a normal Windows Server failover 
cluster with the extra step of enabling S2D once the cluster has been created. To deploy an S2D 
cluster, perform the following general steps: 
1. Ensure that the drives that you will use for S2D are empty and contain no existing parti- 
tions or data. 
2. Install the Failover Clustering, Hyper-V, File Server, Data Center Bridging, and roles and 
features; also, you install the Hyper-V and clustering PowerShell cmdlets on each cluster 
node by using the following command: 


Install-WindowsFeature -Name "Failover-Clustering", "Hyper-V", "Data-Center- 
Bridging", "RSAT-Clustering-PowerShel1", "Hyper-V-PowerShel1", "FS-FileServer" 


3. Use the Test-Cluster cmdlet with the -Include Storage Spaces Direct, Inventory, 
Network, and System Configuration parameters to verify that the cluster configuration is 
valid. 


4. Use the New-Cluster cmdlet with the -NoStorage parameter to create the cluster. 
For example, run this command to create a new cluster named TestS2DCluster with 
machines S2DN1 and S2DN2: 


New-Cluster -Name TestS2DCluster -Node S2DN1,S2DN2 -NoStorage 


5. Configure a cluster witness. This can be a cloud witness, a file share witness, or a disk 
witness. 
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6. Enable Storage Spaces Direct using the Enable-ClusterStorageSpacesDirect cmdlet. For 
example, to enable S2D on a cluster named TestS2DCluster, run the following command: 


Enable-ClusterStorageSpacesDirect -CimSession TestS2DCluster 


7. The next step is to create volumes and optionally enable the CSV cache. 


NEED MORE REVIEW? S2D DEPLOYMENT 


You can learn more about S2D deployment at https://docs.microsoft.com/en-us/ 
windows-server/storage/storage-spaces/deploy-storage-spaces-direct. 


Configure Storage Spaces Direct 


Configuring S2D requires understanding the variety of resiliency types available as well as how 
caching functions and technologies such as direct access (DAX) for persistent memory storage. 


S2D resiliency types 


S2D resiliency options are dependent on how many fault domains are present, the failure toler- 
ance required, and the storage efficiency that can be achieved. A fault domain is a collection of 
hardware, such as a rack of servers, where a single failure can affect every component in that 
collection. 


Table 2-3 lists the different resiliency types, failure tolerances, storage efficiencies, and 
minimum fault domains. 


TABLE 2-3 S2D resiliency 


Resiliency Failure tolerance Storage efficiency Minimum fault 
domains 

Two-way mirror 1 50.0% 2 

Three-way mirror 2 33.3% 3 

Dual parity 2 50.0%-80.0% 4 

Mixed 2 33.3%-80.0% 4 


NEED MORE REVIEW? S2D RESILIENCY 


You can learn more about S2D resiliency at https://docs.microsoft.com/en-us/windows-server/ 
storage/storage-spaces/storage-spaces-fault-tolerance. 


S2D cache drives 


NVMe and persistent memory drives can be used as cache drives in S2D. When you do this, the 
faster storage is used for caching operations while the slower SSD or magnetic media drives 
are used for capacity. When you deploy S2D with multiple types of drives, S2D will automati- 
cally use the drives of the fastest types for caching and the remaining drives for capacity. For 
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example, if you had 4 nodes and each node had a single 1 TB NVMe, 10 TB SSD, and 20 TB HDD 
disk attached, the NVMe storage would be used for cache, allowing 120 TB to be used by S2D 
capacity volumes. 


NEED MORE REVIEW? S2D CACHE 


You can learn more about S2D cache at https://docs.microsoft.com/en-us/azure-stack/hci/ 
concepts/cache. 


Direct access (DAX) 


Not to be confused with the networking technology, direct access (DAX) interacts with per- 
sistent memory devices, bypassing the software overhead of the O/O stack to directly modify 
storage. This reduces latency and substantively improves performance. 


Windows Server 2019 and later support the creation of DAX volumes on Storage Spaces or 
S2D volumes that use a single persistent memory disk that is configured with no parity and no 
redundancy. DAX can only be used on a single disk and is only supported with NTFS. You can 
only implement DAX when formatting an NTFS volume, and it can't be enabled on an existing 
volume after formatting is complete. 


NEED MORE REVIEW? S2D DAK 


You can learn more about S2D direct access at https://docs.microsoft.com/en-us/ 
windows-server/storage/storage-spaces/persistent-memory-direct-access. 


Upgrade Storage Spaces Direct node 

You have four options when updating S2D clusters running Windows Server 2016 to Windows 
Server 2019 or Windows Server 2022, or from Windows Server 2019 to Windows Server 2022. 
These options are as follows: 

m Perform an in-place upgrade of each node while VMs hosted on the cluster remain 
available. This option will mean that guest VMs experience no downtime, but requires 
storage jobs to finish after each cluster node is upgraded. This may mean that the over- 
all cluster upgrade process takes more time. 

m Perform a clean OS installation of each node while VMs hosted on the cluster remain 
operational. When using this method, Microsoft recommends clean OS installation over 
in-place upgrade as it resets the server configuration. In-place upgrades can retain set- 
tings and applications that are no longer relevant. 

m Perform an in-place upgrade while guest VMs are stopped. This option means that 
guest VMs experience downtime, but there is no extra time spent on storage jobs. 


m Performa clean OS installation of each node while guest VMs are stopped. 
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Prior to upgrading an S2D cluster, ensure that you have verified backups and that your cur- 
rent hardware configuration is supported by the new version of Windows Server to which you 
are upgrading. If you have ReFS volumes that were created on a Windows Server 2016 host, 
these will remain available to newer versions of Windows Server but will not include enhance- 
ments such as mirror-accelerated parity performance improvements. If you are using software- 
defined networking on the cluster with switch embedded teaming switches, you should disable 
VM live migration verification checks before moving VMs to upgraded nodes. 

If you're doing an upgrade of Windows Server 2016 cluster nodes, perform the following 
steps: 

1. Migrate the guest VMs off the node. 

2. Pause the cluster with the Suspend-ClusterNode cmdlet with the Drain parameter (the 
first step will also do this). 

3. Put the node into storage maintenance mode using the Enable-StorageMaintenanceMode 
PowerShell cmdlet. 

4. Perform the in-place upgrade. 
Remove the server from storage maintenance mode using the Disable- 
StorageMaintenanceMode PowerShell cmdlet. 

6. Return the server to the cluster using the Resume-ClusterNode PowerShell cmdlet. 


7. Once all cluster nodes have been upgraded to the new version of Windows Server, 
upgrade the cluster functional level using the Update-ClusterFunctionalLevel cmdlet. 


8. After completing the cluster functional level update, use the Update-StoragePool cmdlet 
to update the storage pool. You can also upgrade the configuration version of the guest 
VMs using the Update-VMVersion cmdlet. 


NEED MORE REVIEW? UPGRADE STORAGE SPACES DIRECT 


You can learn more about upgrading S2D clusters at https://docs.microsoft.com/en-us/ 
windows-server/storage/storage-spaces/upgrade-storage-spaces-direct-to-windows-server-2019. 


Implement networking for Storage Spaces Direct 


S2D requires that networking to be configured in such a way that network throughput and 
performance between cluster nodes is adequate for storage operations. There are several steps 
that you can take to accomplish this goal: 


1. Setup a policy that assigns SMB-Direct packets with a priority tag. This can be accom- 
plished with the New-NetQosPolicy cmdlet with the NetDirectPortMatchCondition 
parameter set to 445. 


2. Enable priority-based flow control for SMB-Direct traffic using the Enable- 
NetQosFlowControl cmdlet. 


3. Disable Data Center Bridging Exchange traffic using the Set-NetQosDcbxSetting cmdlet. 
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4. Enable remote direct memory access (RDMA) on physical adapters using the Enable- 
NetAdapterRdma cmdlet. 


NEED MORE REVIEW? S2D NETWORKING 


You can learn more about S2D network requirements at https://docs.microsoft.com/en-us/ 
windows-server/storage/storage-spaces/deploy-storage-spaces-direct. 


EXAM TIP 


Remember how to calculate S2D capacity based on storage available, number of nodes, and 
resiliency types. 


Chapter summary 


= Windows Server failover clusters should consist of similarly configured nodes. 


m The account used to create a cluster needs to be a domain account with local adminis- 
trator privileges on each cluster node. Unless a computer account has been prestaged, 
the account also needs the ability to create computer objects in the domain. 


m Stretch clusters can use Storage Replica to ensure that workloads can fail over between 
sites. 


m Configure a Cloud Witness as standard performance blob storage and use a storage 


access key for authentication. Locally redundant storage is appropriate for on-premises 


and zone redundant if a cluster spans availability zones. 


= Quorum options are configured automatically, but you can use advanced configuration 


options to allow some nodes to vote on quorum and to exclude other nodes. 


= A general-purpose file server cluster role can serve clients only from one cluster node. A 


Scale-Out File Server (SoFS) can serve files from any cluster node. 
m Ensure CredSSP is configured if managing CAU using Windows Admin Center. 


m Cluster-Aware Updating run profiles allow pre- and post-scripts to run during the 
update process. 


m Cluster workloads will fail over from the preferred owner to other owners on the list 
sequentially. Cluster workloads will not fail over to any node that is not on the list of 


possible owners. Set the prevent failback option to stop a workload automatically failing 


back to after failover. 


m When you have drives of multiple types, S2D will use all drives of the fastest type for 
caching. NVMe will be used over SSD and HDD. 


m To determine maximum S2D capacity, don’t include the caching drive but take the sum 
of all remaining drives. 
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Thought experiment 


In this thought experiment, demonstrate your skills and knowledge of the topics covered in this 
chapter. You can find answers to this thought experiment in the next section. 


You are in the process of upgrading a 4-node Hyper-V cluster that uses S2D to store guest 


VMs from Windows Server 2016 to Windows Server 2022. You are performing an in-place 
upgrade of each node. With this in mind, answer the following questions: 


1. 


After you migrate the VMs off the first cluster node you will upgrade, what steps should 
you take before performing the in-place upgrade? 


Once the in-place upgrade is complete, what cmdlet should you run before running the 
Resume-ClusterNode PowerShell cmdlet? 


After all cluster nodes are upgraded to Windows Server 2022, what steps should you 
take next? 


Thought experiment answers 


This section contains the solution to the thought experiment. Each answer explains why the 
answer choice is correct. 


1. 


Once you've migrated any guest VMs off the first node, you should suspend the cluster 
node using the Suspend-ClusterNode cmdlet and then put the node into maintenance 
mode using the Enable-StorageMai ntenanceMode cmdlet. 

Once the upgrade is complete, you should disable storage maintenance mode using the 
Disable-StorageMaintenanceMode cmdlet. 

Once all nodes are updated to Windows Server 2022, you should update the cluster 
functional level and then run the Update-StoragePool cmdlet. You can also update the 
guest VM configuration level. 


Thought experiment answers 
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Implement disaster recovery 


Disaster recovery involves ensuring that you are able to recover a workload in the event that 
a failure occurs. Failures can be as simple as files becoming corrupted or a disk failing, or can 
be as complicated as an entire site going offline due to natural disaster. In this chapter you 
will learn how to manage backup and recovery for Windows Server computers, both on- 
premises and in Azure, how to use Azure Site Recovery to replicate hybrid and cloud-based 
Windows Server workloads, and how to use Hyper-V Replica to replicate virtual machines 
from one Hyper-V server instance or cluster to another. 


Skills covered in this chapter: 
m Skill 3.1: Manage backup and recovery for Windows Server 
m Skill 3.2: Implement disaster recovery by using Azure Site Recovery 


m Skill 3.3: Protect virtual machines by using Hyper-V Replica 


Skill 3.1: Manage backup and recovery for 
Windows Server 


Hybrid cloud environments address some of the historical challenges of backup and recov- 
ery, namely “Where do | store all that backup data?” and “How do | ensure that the data is 
offsite?” Azure Backup technologies are designed to integrate directly into Windows Server 
and support laaS VMs running in the cloud. Understanding how to leverage these technolo- 
gies is a core skill of the Windows Server Hybrid administrator. 


This section covers how to: 

m Understand Azure Backup 

m Manage backups in Azure Recovery Services vault 

= Back up and restore files and folders to Azure Recovery Services vault 

m Install and manage Azure Backup Server 

m Back up and recover using Azure Backup Server 

= Create a backup policy 

= Configure backup for Azure Virtual Machines using the built-in backup agent 


m Restorea VM 
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Understand Azure Backup 


Azure Backup is a backup-as-a-service (BaaS) offering from Microsoft that uses Azure's infra- 
structure to back up and store workload recovery data for on-premises and Azure workloads. 
Azure Backup is fully integrated into Azure, making it a simple process for IT pros to enable 
backup for a large number of Azure offerings. You can also use agents to back up on-premises 
or cross-cloud workloads or to deploy an Azure Backup Server instance to centralize on- 


premises backup operations. You can use Azure Backup to protect the following workloads: 


On-premises workloads, including files, folders, and system state data, with the 
Microsoft Azure Recovery Services (MARS) agent. 


Hyper-V and VMware workloads through integration with System Center Data 
Protection Manager (DPM) or Microsoft Azure Backup Server (MABS) 


Azure laaS VM (Windows/Linux) with Azure backup extensions. File and folder backup 
using MARS agent. 


Azure managed disks 

Azure Files shares 

SQL Server in Azure VMs 

SAP HANA databases in Azure VMs 
Azure Database for PostgreSQL servers 


Azure blobs 


Azure Backup provides the following functionality for hybrid and Azure laaS workloads: 


Simplifies on-premises backup by storing backup and recovery data in the 

cloud This removes the need for the management of on-premises tapes and backup 
media and simplifies the process of ensuring that backup data is stored in a location 
separate from protected workloads. 

Integrated backup of Azure laaS VMs Backup protection can be enabled from the 
moment of laaS VM deployment. As backup data is stored in Azure, retention goals can 
be set without the need to closely monitor backup storage capacity. 

Support for application consistent backup For Windows workloads, this includes 
ensuring that transactions and the memory state of running applications are captured 
in backups. 

Unlimited data transfer of inbound and outbound backup data The exception to 
this rule is for initial offline backups using the Azure Import/Export service. 

Secured backup data Azure Backup can be configured to secure inbound and out- 
bound backup data as well as to secure stored backup data. 

Support for short-term and long-term retention goals Each protected workload 
can have up to 9,999 recovery points. The maximum retention period is determined by 
this limit and how often recovery points are created. 
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= Redundancy of backup data in Recovery Services vaults You can configure 
backup vaults to use locally redundant, geo-redundant, or zone-redundant storage. 


= Centralized monitoring and management Azure Backup integrates with Azure 
Monitor and Azure Functions for monitoring and automation. 


NEED MORE REVIEW? UNDERSTANDING AZURE BACKUP 


You can learn more about Azure Backup at https://docs.microsoft.com/en-us/azure/backup/ 
backup-overview. 


Manage backups in Azure Recovery Services vault 


Azure Recovery Services vaults (RSVs) are a special type of Azure storage that houses backup 
and disaster recovery data from a variety of hybrid and Azure workloads. RSV can integrate 
with System Center Data Protection Manager (DPM), Windows Server's backup utility, Azure 
Backup Server, and other backup products. 

RSVs provide the following benefits: 

m Backup and recovery data is secured through authentication, alerting, encryption, and 
recovery protection. Alerting means that notifications are sent whenever critical opera- 
tions are performed. Recovery protection ensures that deleted data is retained for an 
additional 14 days in the event that an intruder attempts to remove existing backups. 

m Ability to centrally monitor backup and disaster recovery across hybrid IT environments. 
RSVs can fully integrate with Azure Monitor. 

m Fine-grained access management control to back up, restore, and perform disaster 
recovery operations through Azure role-based access control (RBAC). 

m Cross-Region Restore, which allows you to restore Azure VMs to a secondary Azure 
paired region. 

RSVs must be in the same region as the resource you wish to back up. If your organization 
has resources deployed in three separate regions across the globe, you will need backup vaults 
in each of those regions if you want to use Azure Backup for protection. 

If you need to separate who can back up and restore from a vault based on organizational 
boundaries, you should use separate vaults and apply permissions appropriately. For example, 
you may need to ensure an administrator from one area of the business is not able to restore 
a workload from another area of the business. Azure does not allow you to apply role-based 
permissions to separate workloads stored within the same RSV. 

Although it is possible to use the same RSV for different Azure Backup workloads, best prac- 
tice is to create separate RSVs for separate workloads. Microsoft also recommends that if your 
organization has production and test environments, you use separate RSVs for each environ- 
ment's workloads. 
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A single Azure RSV can support backups for a maximum of 1,000 Azure VMs. Beyond the 
limit on Azure VM backup workloads, a single RSV can only support up to 2,000 backups of 
other workload types. For example, you could have 1,000 Azure VMs and 300 SQL databases 
backed up to an RSV if you weren't separating based on workload, but you could not have 
1,001 VMs and 299 SQL databases backed up to an RSV. 


RSV storage redundancy 


By default, RSVs are configured for geo-redundant storage (GRS). You can also choose to use 
locally redundant storage (LRS) and zone-redundant storage (ZRS). Microsoft's advice is as 
follows: 


m LRS is suitable for noncritical workloads such as those used in test environments. 


m ZRS is appropriate for workloads that require high data durability but also require the 
backup data to be kept in a specific geographic location. 


m GRS is appropriate for business-critical workloads that must remain operational in the 
event of a complete regional outage. 


You can switch which type of storage redundancy is used. Doing this will increase or 
decrease the charges allocated to the workload. To alter the type of redundancy used, perform 
the following steps: 


1. Inthe Settings section of an RSV's properties, select Update under Backup Configuration. 


2. Aspecial pane opens that lists storage replication type. On this page, choose between 
geo-redundant, locally redundant, or zone-redundant storage. 


Cross-Region Restore 


Cross-Region Restore (CRR) allows you to restore a backed-up Azure VM to a specific second- 
ary region. When you enable CRR on an RSV, you are able to restore replicated Azure VM 
backup data whenever you choose. This allows you to restore at any point in time and differs 
from when GRS is configured and Microsoft must declare that a disaster in the primary region 
has occurred. 


Monitoring an RSV 


You can use the Overview dashboard of an RSV to view monitoring and usage information. This 
dashboard provides the following information: 


= Critical and warning alerts for backup jobs performed in the last 24 hours. 
m Pre-check status for Azure laaS VMs. 


m Backup jobs that are in progress and any backup jobs that have failed in the last 24 
hours. 
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Alerts have the status or Critical, Warning, or Informational: 


= Critical alerts will occur when backup jobs fail, recovery jobs fail, and when protection is 
stopped on a server but backup data is still being retained in the vault. 


m Warning alerts will occur when backup jobs complete with warnings—for example, 
when backup completes but fewer than 100 files are not backed up because of file cor- 
ruption issues. 


m The Informational alert status has been reserved for future use by Microsoft. 


You can configure notifications for alerts that will send an email to a specific address in 
the event that an alert of a specific type is generated. You can configure alerts for Warning or 
Critical events. You can choose either to have an email sent per alert or to configure an hourly 
digest alert for all unresolved alerts generated in the previous 60 minutes. 


If alerts for backup activities for the MARS agent for a particular server do not appear in the 
Azure portal, ensure that the OBRecoveryServiceManagerAlert process is running on that server. 
If the service isn’t running, restart the Microsoft Azure Recovery Services Management Agent 
service. You may also find information in the following log file: <AzureBackup_agent_install_ 
folder>\Microsoft Azure Recovery Services Agent\Temp\GatewayProvider. 


NEED MORE REVIEW? MANAGE RECOVERY SERVICES VAULTS 


You can learn more about managing Recovery Services vaults at https://docs.microsoft.com/ 
en-us/azure/backup/backup-azure-manage-windows-server. 


Deleting an RSV 


Deleting an RSV first involves ensuring that you have removed the contents of the RSV, includ- 
ing soft-deleted data that has not yet met its deletion retention period's expiration. You are 
unable to delete an RSV if the vault contains protected data sources, such as backed-up laaS 


VMs or SQL databases, or if the vault has registered storage accounts. To delete an RSV, per- 
form the following steps: 


1. Stop backup of items. 
Disable soft delete. 
Delete existing items. 


Remove associations of servers and storage accounts with the vault. 


u Rk wn 


Remove private endpoint connections. 


You will need to wait up to 14 days for any items that were deleted prior to disabling soft 
delete to be removed. You need to wait as disabling soft delete does not disable the soft delete 
functionality for existing deleted items, only for items deleted after soft delete is disabled. 


NEED MORE REVIEW? DELETE RSV 


You can learn more about deleting RSVs at https://docs.microsoft.com/en-us/azure/backup/ 
backup-azure-delete-vault. 
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Back up and restore files and folders to Azure Recovery 
Services vault 
There are two types of file and folder backups that are possible with Azure Backup: backing up 
and recovering an Azure File Share and backing up and recovering files and folders that are 
internal to a Windows Server computer running on-premises or as an laaS VM. This section 
addresses the first backup and recovery scenario, with the second type addressed later in this 
chapter. 

To back up Azure File Shares in the same region as an existing RSV, perform the following 
steps: 

1. Inthe Azure portal, navigate to Backup Center and select +Backup. 

2. From the Datasource Type drop-down menu, select Azure Files (Azure Storage) and 
the RSV that you want to host the backup for the Azure File Share. 

3. Select the Storage account that hosts the Azure File Share and then select the file shares 
that you wish to back up. 

4. You can choose to use the default policy that will back up the file share on a daily basis 
and retain the backups for 30 days. You can also create a new policy. You will learn more 
about creating new policies later in this chapter. 

To recover files to an Azure File Share, perform the following steps: 
1. Inthe Azure portal, navigate to Backup Center and select Restore. 


2. From the Datasource Type drop-down menu, select Azure Files (Azure Storage) and 
then select the file share that you wish to restore data from. 


3. Choose the backup restore point from which you wish to recover files. You can choose 
to restore to the original Azure File Share or to an alternate location. You should use 
an alternate location if you are not sure which restore point has the version of the file 
or files you wish to restore. If you want to overwrite the contents of the share with the 
contents of the backup, choose to restore to the original location. 

When you recover files to an Azure File Share that is configured to work with Azure File 
Sync, the files will not immediately replicate down to the Azure File Sync endpoint. This is 
because Azure File Sync detects and replicates file changes on each file server endpoint but 
does not automatically detect changes that occur on Azure File Shares. 


Install and manage Azure Backup Server 

Microsoft Azure Backup Server (MABS) is a workload that you deploy on a Windows Server 
instance that allows you to perform backup and recovery tasks against on-premises Hyper-V 
VMs, Microsoft SQL Server, Microsoft Exchange, and VMWare VMs. MABS is similar to System 
Center Data Protection Manager (DPM), but DPM has a more comprehensive number of work- 
loads that it can back up. 
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MABS must be deployed on a Windows Server computer that is joined to an AD DS domain. 
You can use any edition of Windows Server 2016 and later with the desktop experience option. 
You cannot deploy MABS on Windows Server instances that are deployed using the Server 
Core installation option. You should avoid deploying MABS on computers that have the follow- 
ing additional workloads: 


= Computers that are AD DS domain controllers 

= Computers that have the Application Server role installed 

= Acomputer deployed as a System Center Operations Manager management server 
= A computer that has Exchange Server running 

= Acomputer that is participating as a node in a failover cluster 


You can download the MABS server software from an existing recovery vault by performing 
the following steps: 


1. Under Getting Started in the recovery vault in the Azure portal, select Backup. 


2. Select Backup Goal and ensure that you select the On-premises option and the nature 
of the workloads that you wish to back up. If you select Hyper-V Virtual Machine, 
Microsoft SQL Server, Microsoft SharePoint, or Microsoft Exchange, you will be able to 
download the MABS software. If you only choose Files and Folders, you'll instead get 
the MARS agent. 


3. You'll also need to download the vault credentials file. The vault credentials file is valid 
for two days, after which you'll need to obtain a new credentials file if setting up MABS. 


The MABS installation package comes with a version of SQL Server that will automatically 
be installed and configured to support MABS. You can also use your own separate SQL Server 
instance and MABS will work with SQL Server 2014 SP1 or later. Unlike System Center Data 
Protection Manager, the SQL Server instance must be deployed on the same Windows Server 
instance as the MABS server. 


During deployment of MABS, you will need to choose a scratch location that will be able 
to host approximately 5 percent of whatever data you will regularly back up to Azure. You 
should configure the Windows Server instance hosting MABS with a second volume to host this 
scratch data. 


Additional disks can be configured in a storage pool to host recent backup data. MABS 
works by keeping the most recent backup data on-premises as well as replicating it to Azure. 
Longer-term data is tiered to Azure. Most restoration operations will involve backups that are 
from the recent past. If you have to restore data from an older snapshot, that data will synchro- 
nize back down from Azure. Microsoft recommends that you have local disk storage that is 
twice the size of the amount of data you are protecting in your regular backup routine. 


MABS uses the Data Protection Manager Protection Agent, also termed the MABS agent, on 
hosts that have workloads that you want to protect. You can deploy this agent on other Win- 
dows Server computers that host the workload you want to protect, such as Hyper-V servers 
and cluster nodes, and computers that host Exchange Server, SharePoint, and SQL Server. 
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NEED MORE REVIEW? AZURE BACKUP SERVER 


You can learn more about Azure Backup Server at https://docs.microsoft.com/en-us/azure/ 
backup/backup-azure-microsoft-azure-backup. 


Back up and recover using Azure Backup Server 


You can use MABS to back up Hyper-V virtual machines, VMware servers, Exchange, Share- 
Point farms, SQL servers; to protect system state data; and to perform bare-metal recovery of 
physical servers. 


When using MABS to protect Hyper-V workloads, you install the MABS protection agent on 
the Hyper-V server. When it's configured you can protect: 


m Virtual machines hosted on local or directly attached storage (storage area network 
[SAN] or network attached storage [NAS] devices) 


m Virtual machines in a cluster with CSV storage 


MABS can perform host-level and guest-level backup of Hyper-V VMs. If you configure 
protection at the host level, the MABS agent is deployed on the host server or cluster. This 
protects entire VMs and data files on that host. You can also install the MABS agent on each 
virtual machine. If you want to perform item-level recovery for virtual machines, it is necessary 
to have the Hyper-V role enabled on the MABS server. You don't need this role installed if you 
want to recover entire virtual machines. 


MABS can back up Hyper-V servers or clusters in the same AD DS forest. You can also use 
MABS to back up Hyper-V on standalone servers or untrusted domains if you configure certifi- 
cate authentication. 


To recover data using MABS, perform the following steps: 


1. Download current vault credentials from the RSV associated with the MABS server. 
Remember that credentials are current for between two and 10 days. 


2. Inthe MABS console, select the Add External DPM option and then select the vault 
credentials file. 


3. Browse the list of protected servers in the Azure recovery vault (represented as External 
DPM Online Data) and choose the data source you wish to recover. 


4. Select the recovery point from which you want to recover. 


Right-click the item you want to recover and select Recover, and then specify the loca- 
tion to which you wish to recover the protected data. When performing a recovery to 
the same location as the original, you can choose: 


m Create copy This will create a copy of any file that exists in the destination. 
= Skip This will skip the restoration of any file that exists in the destination. 


= Overwrite This will overwrite any file in the destination. 
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NEED MORE REVIEW? RECOVER DATA FROM AZURE BACKUP SERVER 


You can learn more about recovering data from Azure Backup Server at https:// 
docs.microsoft.com/en-us/azure/backup/backup-azure-alternate-dpm-server. 


Create a backup policy 


Backup policies determine the schedule at which a backup is taken and how long each backup 
is to be retained in the Recovery Services vault. Creating a backup policy involves choosing the 
following: 


m Whether the backup occurs on a daily or weekly basis. You also specify what time and 
time zone the backup should occur. 


= How many instant restore points should be available. You can choose between 1 and 5. 
m How long to retain: 
= Daily backup points Available if you've configured daily backups. 


= Weekly backup points This option varies depending on whether you have 
selected daily or weekly backups. If you selected to take daily backups, you select 
which day's daily backup will be stored as a weekly backup. If your backups are taken 
once a week, this is the retention of your normal weekly backups. 


= Monthly backup points The retention for one of the regular backups taken once 
a month as part of the existing schedule to be identified and kept as a monthly 
backup. You choose which of the scheduled backups this will be when configuring 
the schedule. This backup will be both a weekly and monthly backup and retain that 
identifying metadata, but will be retained according to the longer monthly backup 
retention setting. 

= Yearly backup points The retention of one of the regular backups taken as part 
of the existing schedule and which will then be identified as a yearly backup. This 
backup will retain its daily, weekly, and monthly metadata as appropriate but will be 
stored according to the longer yearly retention policy. 

When creating a schedule, you specify a period of daily or weekly and then provide a spe- 
cific hour and minute when the backup should be created. If you update a policy, increasing or 
decreasing the retention duration, the new retention duration is applied to existing recovery 
points. Similarly, if you change the backup schedule from daily to weekly, existing daily recov- 
ery points that don’t conform to the weekly schedule will be removed. 

Backup policies have the following additional properties: 

= Backup policies are created per vault. 


m You can create backup policies for Azure VMs, SQL in Azure VMs, SAP HANA in Azure 
VMs, and Azure File Shares. 


m You create backup policies for files and folder backup when using the MARS agent using 
the MARS console. 
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m You can apply a single policy to multiple resources of the same type. For example, an 
Azure VM backup policy can apply to multiple VMs. 


You can use Azure Policy to apply the same backup policies across multiple vaults in a sub- 
scription or management group. 


NEED MORE REVIEW? CREATE OR UPDATE PROTECTION POLICIES 


You can learn more about creating backup policies at https://docs.microsoft.com/en-us/rest/ 
api/backup/protection-policies/create-or-update. 


Configure backup for Azure Virtual Machines using the 
built-in backup agent 

There are two primary methods through which you can back up an Azure VM. You can config- 
ure backup external to the VM using the Azure Backup service, or you can use the MARS agent 
to perform backups of individual items within the VM. As the MARS agent was covered earlier 
in this chapter, this section focuses on backing up Azure laaS VMs using the Azure Backup 
service. 


Windows Server Backup 


Windows Server Backup is the default backup application included with Windows Server. 
Windows Server Backup is a basic backup solution and it only enables you to back up to disk 
or network shares. Tasks for long-term retention, like export to tape, require a more sophisti- 
cated solution, such as System Center Data Protection Manager. Windows Server Backup has a 
minimal level of reporting functionality and has no native functionality that makes it possible 
to send alerts to an administrator through email if a backup fails. 


Windows Server Backup enables you to back up and recover the following: 
m Full server (all volumes) 

m Specific volumes 

= Specific folders 

m System State data 

m Individual Hyper-V hosted virtual machines 

m Volumes exceeding 2 terabytes (TB) in size 

m Volumes with 4 kilobyte (K) sector size 

m Cluster Shared Volumes 


Although you can connect from the Windows Server Backup console to other comput- 
ers to remotely manage Windows Server Backup, you can only use an instance of Windows 
Server Backup to back up the local computer. For example, whereas you can back up network 
share folders that the computer is able to access, such as a mapped network drive, you can’t 
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configure Windows Server Backup on one computer to do a full-volume or System State 
backup of another computer. 


You can configure exclusions for backup jobs run on Windows Server Backup. Exclusions are 
specific file types that you want to exempt from the backup process. You can configure exclu- 
sions based on file type, or you can choose to exclude the contents of entire folders and their 
subfolders. For example, you can configure an exclusion that stops files with the tmp extension 
in the c:\shared-docs folder and its subfolders from being written to backup. 


Users who are local Administrators or members of the Backup Operators group can use 
Windows Server Backup to back up the entire computer, volumes, files or folders, and the Sys- 
tem State. You can grant other security principals this right by editing the Back Up Files and 
Directories Group Policy item. Windows Server Backup does not encrypt backups by default, 
which means that the data stored in those backups might be read if the backup media falls into 
the wrong hands. When you are backing up data, you can configure access control so that only 
users with specific credentials can access the backup, but this still does not encrypt the backup. 


BACKUP LOCATIONS 

Windows Server Backup enables you to back up to any locally attached disk, to a volume, 

to the storage area network (SAN), or to any network folder. When configuring a scheduled 
backup, you should specify a destination volume or disk that is empty. If the disk is local or con- 
nected to the SAN, Windows Server Backup performs a full backup at least once every 14 days 
and incremental backups on subsequent backups. Incremental backups in Windows Server use 
block-level backups rather than file-level backups, meaning that the incremental backups are 
much smaller. Rather than backing up all the files that have changed since the last backup, only 
the data blocks that have changed on the hard disk are backed up. For example, if you change 
one image in a 25 MB PowerPoint file after it is backed up, only the data blocks associated with 
that image are backed up next time, not the whole 25 MB file. 


There is exception to the rule about how data is written during scheduled automatic full 
and incremental backups. This exception occurs when the backup data is written to a network 
folder. When you back up to a network folder, as opposed to a SAN-connected disk, which 
appears as local to Windows Server, each backup is a full backup and the previous full backup 
that was stored on the network share is erased. Because only one backup at a time can be 
stored on a network share, if you choose to back up to this location you can’t recover data from 
any backup other than the most recently performed one. 

You can modify the performance of full-system and full-volume backups by using the Opti- 
mize Backup Performance dialog box, and you can increase backup performance by using the 
Faster Backup Performance option. The drawback of selecting this option is that it reduces 
disk performance on the disks that host the volumes you are backing up. 

You can back up data using a variety of methods with Windows Server Backup. You can 
configure a scheduled backup, which means a backup occurs on a scheduled basis. You can 
also perform a one-off backup. When you perform a one-off backup, you can either use the 
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existing scheduled backup settings or you can configure a separate set of settings for one- 

off backups. For example, you can configure Windows Server Backup to perform a full server 
backup twice a day to a locally attached disk. You can connect at any time and perform a one- 
off backup where you select only specific files and folders and have them written to a location 
on the network. 


ROLE AND APPLICATION BACKUP 


Most Windows Server roles and features store data in locations that are backed up when you 
perform a System State backup. System State data is automatically backed up when you per- 
form a full server backup or select it for backup. Depending on the roles and features installed 
on the computer running Windows Server 2019, the System State can contain the following 
data: 


m Registry 

= Local users and groups 

m COM+ Class Registration database 

= Boot files 

= Active Directory Certificate Services (AD CS) database 
m Active Directory database (Ntds.dit) 

m SYSVOL directory 

m Cluster service information 

m System files under Windows Resource Protection 

m Internet Information Services (IIS) settings 


Some applications also register themselves with Windows Server Backup. This means that 
when you perform a full server backup, you can recover data that is only relevant to the appli- 
cation without having to perform a full system restore. Support for application registration 
depends on the application. You can’t select a specific application for backup using Windows 
Server Backup, but you can restore applications that have registered themselves with Windows 
Server Backup as long as you've previously performed a full server backup. 


RESTORE FROM BACKUPS 


Windows Server Backup enables you to restore data that has been backed up on the local 
computer, or data that was backed up on another computer using Windows Server Backup that 
is accessible to the local computer. You can use Windows Server Backup to do the following: 


= Torestore files and folders as well as applications. 


m To restore the System State data. After the System State data is restored, you must 
restart the computer. 


m To restore any volume except the one that hosts the operating system. If you want to 
restore the volume that hosts the operating system, you need to boot into the Windows 
Recovery Environment. 
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You can use the Windows Recovery Environment to perform a full server restore, also 
known as a bare-metal recovery. When you do this, all existing data and volumes on the server 
are overwritten with the backed-up data. 


If multiple backups of the data you want to restore exist, select which version you want to 
restore. If you are unsure which date holds the data you want to restore, you should restore to 
multiple alternative locations and then perform the comparison. This process saves you from 
restoring, figuring out you've restored the wrong data, performing another restore, and then 
figuring out that restore isn’t right either. 


Windows Server Backup writes backups to VHDX files, the same type of file that is used with 
Hyper-V and when creating disks for Internet Small Computer System Interface (iSCSI) targets 
and disks in storage pools. Windows Server also allows you to mount the contents of a virtual 
hard disk (VHD), which allows you to examine those contents without having to perform a full 
restoration using Windows Server Backup. 


RESTORE TO AN ALTERNATIVE LOCATION 

When you are performing data restoration, you can choose to restore data to the original loca- 
tion or to an alternative location. It is not uncommon when restoring data to the original loca- 

tion for backup administrators to unintentionally overwrite good, live data with older, restored 
data. If you restore to an alternative location, it's possible to compare the restored data against 
the current data. It’s also important when restoring data that you retain permissions associated 
with data. 


If you choose to restore to the original location, you can configure Windows Server Backup 
to perform one of the following tasks: 


m Automatically create copies if an original exists. 
m Overwrite existing versions. 


= Do not recover any item that exists in the recovery destination. 


The MARS agent 


The Microsoft Azure Recovery Services (MARS) agent allows you to back up data directly to 
a Microsoft Azure backup recovery services vault service. You install the MARS agent client 
on the internet-connected computer server that you want to back up, and the backup data is 
stored in an Azure Recovery vault. The MARS agent functions as an off-site data storage and 
recovery service and can be used in conjunction with Windows Server Backup. If a site is lost, 
you can still recover this important data from Azure. 

You can run both the Windows Server Backup and Azure Backup agent services in parallel. 
This approach enables you to perform local backups and backups to Azure on the same server. 
You can then do frequent full server backups locally, with infrequent critical data backups to 
Azure. When you employ this strategy, you mostly restore data from your local backups. It's 
only when something goes drastically wrong that you need to restore data from Azure. 
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The key to understanding what data to back up to Azure is looking at what types of infor- 
mation your organization might lose if a site has some type of disaster. You can always reinstall 
operating systems and applications from media that you can easily obtain again. The data 
stored on your servers, however, such as documents and settings, is something that you can't 
generate from installation media. By storing data in the cloud, you can recover it in the event 
of a disaster after you've rebuilt your server infrastructure. The MARS agent supports backing 
up data sources from single volumes up to 54,400 GB. 


You can use the MARS agent to perform the following tasks: 


m Back up on-premises, Azure, or cross-cloud Windows computers to an Azure Recovery 
Services vault 


m Back up a Microsoft Azure Backup Server (MABS) or a System Center Data Protection 
Manager (DPM) server that hosts backup data from on-premises workloads to an Azure 
Recovery Services vault 


The MARS agent has the minimum retention limits outlined in Table 3-1. 


TABLE 3-1 MARS agent minimum retention limits 


Recovery point Duration 
Daily recovery point 7 days 
Weekly recovery point 4 weeks 
Monthly recovery point 3 months 
Yearly recovery point 1 year 


You cannot use the MARS agent to back up the following: 


= Read-only volumes The Volume Shadow Service (VSS) only functions on writable 
volumes. 


= Offline volumes Only online volumes can be backed up. 


= Networkshares You can only use the MARS agent to back up data on volumes local 
to the server. 


m ReFSvolumes As of mid-2022, the MARS agent does not support backing up data 
stored on ReFS volumes. 


= Removable media The MARS agent cannot back up storage marked as removable, 
such as a removable disk drive. 


DEPLOYING THE MARS AGENT 

The entire process of configuring and managing Azure Backup can be performed from Win- 
dows Admin Center. This includes the creation of a Recovery Services vault, which you use to 
store backup data in Azure. 
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To configure Azure Backup with Windows Admin Center, perform the following steps: 


1. When you are connected to the server you wish to configure with Azure Backup, select 
Azure Backup in Windows Admin Center and then select Set Up Azure Backup. 

2. Ifyou aren't already signed into an account with Azure administrator permissions, you'll 
be required to sign into Azure. 


3. By default, an Azure datacenter and Recovery Services vault will be selected for cre- 
ation. You also have the option of creating your own Recovery Services vault, and you 
can specify a resource group and datacenter location. You can also choose an existing 
RSV if you have configured Backup in the past. 


4. By default, the System State data and all volumes will be protected. By default, backups 
will occur weekly and be retained for four weeks. You can alter what is protected using 
the Azure Backup Utility that will be installed on your server. 


5. You will be prompted to provide an encryption passphrase. Make sure that you keep a 
record of this passphrase somewhere other than a text file on the desktop of the server 
because without the passphrase, you will not be able to perform restore operations. 
Microsoft cannot perform a restoration for you if you lose the passphrase since they are 
never provided with a copy and just store the backup data encrypted with the pass- 
phrase. The passphrase must be a minimum of 16 characters long, and you can save it to 
an external location, such as a USB storage device. 


6. Once you select OK and then Apply, the infrastructure in Azure will be created for you, 
and the selected backup schedule will be enacted. 


As an alternative to using Windows Admin Center to deploy the MARS agent on a Windows 
Server computer, you can download the MARS agent from the RSV and deploy it directly on 
each Windows Server computer. To do this, perform the following steps: 


1. In the RSV under Getting Started, select Backup. 


2. On the Where is your Workload Running? page, select On-premises. You choose this 
option whether or not you are deploying the MARS agent on an on-premises Windows 
Server instance or one running in Azure or another location. 


3. On the What do you want to back up? page, choose between the following options: 
m Files and folders 
m Hyper-V Virtual Machines 
m VMware Virtual Machines 
m Microsoft SQL Server 
m Microsoft SharePoint 
m Microsoft Exchange 
m System State 


m Bare Metal Recovery 
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4. Onthe Prepare Infrastructure page, download the agent and the vault credentials. 


On the computer on which you wish to deploy the agent, run the agent installer. You will 
be asked to provide the following information: 


= Installation Folder Where you want to place the MARS agent files. 


m Cache Location Where you want to cache backup data before it is transmitted to 
Azure. 


m Proxy Configuration Any proxy settings that need to be configured to allow the 
agent to communicate with Azure. 


6. Once the installation has completed, you will be asked to perform registration. This is 
where you provide the vault credentials that you downloaded earlier from the RSV. 


7. The final step is to provide a backup passphrase that will be used to protect backup data 
using encryption. 


BACKING UP DATA TO AZURE BACKUP AGENT 

Modifying an Azure Backup Schedule and selections is very similar to the Schedule Backup 
Wizard in Windows Server Backup. After the Azure Backup Agent is installed by Windows 
Admin Center, you can run the tool to do the following: 


= Select which items to back up Item selection is file and folder based. Although you 
can select a volume to back up, you don’t use Azure Backup to perform full volume 
recovery in the same way you would use Windows Server Backup. When selecting items 
to back up, you can configure exclusions for file types, folders, or folder trees. 


m Selecta backup schedule This option determines how often a synchronization 
occurs. You can configure Azure Backup to synchronize up to three times per day. You 
can also configure bandwidth throttling. Throttling enables you to limit the utilization of 
bandwidth and ensures that your organization's internet connection isn't choked with 
backup traffic replicating to the recovery vault on Azure during business hours. 


= Configure backup retention The retention setting, which you configure on the Spec- 
ify Retention Setting page, determines how long backup data is stored in Azure before 
it is deleted. You can configure retention for Windows Server Backup when creating a 
policy in Windows PowerShell. 


RESTORE FROM AZURE BACKUP 
Azure Backup enables you to restore files and folders that are stored in your Azure recovery 
vault. You can’t perform a full server recovery, System State recovery, or volume recovery using 
Azure Backup; you can only restore files and folders. Of course, if you've backed up all the files 
and folders on a volume, you can either restore all of them individually or all at one time. Azure 
Backup also enables you to restore data from another server that you've backed up to Azure. 
Recovering data using Azure Backup involves performing the following steps: 

m Select the server that you want to recover data from. 


m Select whether you want to browse or search for files to recover. 
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= Select the items that you want to recover. You can recover files, folders, and folder trees. 


m Select Recovery Options, including whether you want to restore to the original location, 
to an alternative location, or to create copies or overwrite original files. You can also use 


Select the volume that hosts the data you want to recover and the specific backup date 
and time that you want to recover data from. 


this page of the wizard to choose whether to restore the original permissions. 


To remove all backup data from a recovery vault using Azure Backup, you'll need to go into 
the Azure Console and generate a security PIN. The PIN is valid only for a short period of time. 


NEED MORE REVIEW? BACKING UP WINDOWS WITH THE MARS AGENT 


You can learn more about backing up Windows with the MARS agent at https:// 


docs.microsoft.com/azure/backup/backup-windows-with-mars-agent. 


Vssadmin 


Volume Shadow Copy Services (VSS) is a technology that provides a snapshot of data ona 
volume as it existed at a specific point in time. VSS enables you to make a consistent backup of 


a file that is in use, such as a mailbox database or SQL Server database. Prior to the introduction 


of VSS, you might have needed to take such a database offline to ensure that the database's 
backup was consistent. Consistency issues arise when it takes so long to back up a large file 
or system that the configuration of the system or the contents of the file change during the 
backup. Windows Server Backup, Azure Backup Agent, and other backup products, such as 


Data 
sents 


Protection Manager, use VSS to ensure that the data backed up is consistent and repre- 
the state of the backed-up data as it was at the point when the backup started without 


having to take in-use files offline. 


Vs 
shots 


sadmin is a command-line utility that enables you to manage volume shadow copy snap- 
. You can use Vssadmin to perform the following tasks: 


Configure the location of shadow copy storage. 
Create a shadow copy. 

Delete a shadow copy. 

Delete shadow copy storage. 

View existing shadow copies. 

View existing shadow copy storage. 

View volumes that are configured with shadow copies. 


View subscribed shadow copy writers and providers (special software that creates and 
manages shadow copies). 


Resize shadow copy storage. 
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You can also view shadow copy status on a per-volume basis through the Previous Versions 
tab. When used with file shares, the VSS snapshots exposed through the Previous Versions 
functionality enable users to recover previous versions of files and folders without having to 
restore from backup. To do this, right-click the parent folder or volume and select Restore 
Previous Versions. You can then select previous versions of files that correspond to existing 
VSS snapshots. 


Although Vssadmin allows you to create and manage VSS snapshots, you can’t use it to con- 
figure a schedule to automatically create VSS snapshots. You can configure a schedule to create 
VSS snapshots on a per-volume basis by right-clicking a volume and selecting Configure 
Shadow Copies. After you enable shadow copies, you can configure a schedule in the Settings 
dialog box. By default, when you enable shadow copies, a shadow copy is created at 7:00 a.m. 
and noon every weekday, but you can modify the schedule so that copies are created more 
often. When doing this, remember that after the initial allocated space used to store shadow 
copies is consumed, older shadow copies are removed to make space to store new versions. 
The amount of space needed to store shadow copies and the retention period depends on the 
properties of the data stored on the volume. 


Azure VM Backup 


Azure Backup performs a snapshot of the running VM and then transfers that data to an RSV 
that you specify that is located in the same region as the laaS VM. Snapshots of Windows 
Server VMs are application consistent and use Volume Shadow Copy Services (VSS). Applica- 
tion-consistent backups of Windows Server VMs capture the contents of memory and pending 
1/O operations. This means that when you restore from an application-consistent backup, the 
VM is booted and operational. Scheduled and on-demand backups are also performed against 
shutdown VMs, which are by their nature application and file consistent. 


Azure Backup can be configured during the creation of an laaS VM. You do this on the 
Management tab of the wizard you use to create the VM. You can also enable the backup of 
an laaS VM after the VM has been deployed. A user with the VM Contributor role can enable 
backup on an laaS VM. If you are creating custom roles, the following permissions are required 
to enable Azure Backup for an laaS VM: 


m Microsoft.RecoveryServices/Vaults/write 
m Microsoft.RecoveryServices/Vaults/read 
m Microsoft.RecoveryServices/locations/* 


m Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/ 
protecteditems/*/read 


= Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/ 
protecteditems/read 


m Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/ 
protecteditems/write 


m Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write 
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m Microsoft.RecoveryServices/Vaults/backupPolicies/read 

m Microsoft.RecoveryServices/Vaults/backupPolicies/write 

You can trigger an on-demand backup job to perform an immediate backup of an laaS 
VM. By default an on-demand backup will be retained for 30 days, but you can vary this when 
configuring the backup. 

You enable backup for an Azure laaS VM by performing the following steps: 

1. In the Azure portal, navigate to Backup Center and select Backup. 

2. From the Datasource Type drop-down menu, select Azure Virtual Machines and then 
select the RSV to which you wish to write backup data. 

3. On the Configure Backup page either select an existing policy or create a new backup 
policy. Backup policies were covered earlier in the chapter. The Default policy is avail- 
able and will back up a VM every 24 hours, retaining those backups for 30 days. Instant 
recovery snapshots will be retained for two days. 

4. Select Add and select VMs that you wish to back up. Remember that laaS VMs and the 
RSV need to be in the same Azure region. 


Backup pre-check 
Backup pre-checks assess your laaS VM configuration to determine if there are configuration 
elements that may impact successful backup operations. For example, a pre-check assessment 
will tell you what steps you might need to take with a specific VM workload to ensure success- 
ful file-consistent or application-consistent backups. You can view backup pre-check assess- 
ments in the RSV dashboards. 
Backup pre-check assessments will provide you with the following information about each 
Azure laaS VM that you have configured for protection: 
m Passed The laaS VM's configuration supports successful application- and file- 
consistent backups and no further action is required. 
= Warning The pre-check assessment has detected one or more issues that may lead to 
the failure of backup operations. Remediation steps will be provided. 
m Critical The pre-check assessment has detected one or more issues that will lead to 
the failure of backup operations. Remediation steps to resolve these issues are provided. 


NEED MORE REVIEW? BACK UP AN AZURE VM 


You can learn more about backing up an Azure VM at https://docs.microsoft.com/en-us/azure/ 


backup/backup-azure-vms-first-look-arm. 


Restore a VM 


The most common way of restoring an laaS VM is to restore the VM from the Azure portal. 
When you restore a VM, you have the option of performing a restore that overwrites the cur- 
rent VM with the restored VM, creating a new laaS VM in its entirety, or restoring a VM disk 
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that you can use to create a VM. If you've enabled Cross Region Restore on the RSV, you can 
restore the VMs to a secondary region that is configured as an Azure paired region. 


Instant recovery snapshots allow you to recover an Azure laaS VM directly from a backup 
snapshot that is present with the VM rather than recovering from a copy of a backup snapshot 
stored in the Recovery Services vault. Because recovery snapshots do not need to be retrieved 
from the vault, instant restores occur more quickly than restorations from the vault. The num- 
ber of instant restore points available to an laaS VM depends on the retention duration you 
configure for snapshots. You can configure Azure Backup to store up to five instant recovery 
snapshots. Increasing the number of recovery snapshot storage increases billing charges. 


NEED MORE REVIEW? RESTORE VM 


You can learn more about restoring VMs at https://docs.microsoft.com/en-us/azure/backup/ 
backup-azure-arm-restore-vms. 


Restore and overwrite existing VM 


To restore to and overwrite an existing VM, which you would do in the event that you want to 
roll the existing laaS VM back to an earlier known good state, perform the following steps: 


1. Inthe Azure portal, navigate to Backup Center and select Restore on the Overview tab. 


2. From the Datasource type drop-down menu, select Azure Virtual Machines and then 
select a backup instance. 


From the list select the VM that you wish to restore and select Continue. 


4. You will be presented with a list of restore points from which you can restore. Choose 
the known good state to restore from and then select Replace Existing Restore 
Configuration. 


The existing VM will be removed and is replaced by the restored VM. The restored VM will have 
all of the properties of the replaced VM, such as IP address, name, virtual network configura- 
tion, and RBAC security configuration. This replacement laaS VM will simply be in the state it 
was in when the backup restore point you have chosen to restore was taken. 


Recover VMs to new Azure virtual machines 
In some scenarios you may not know which of the restore points is the best state to restore 
to. For example, you may be attempting to recover from a data or configuration corruption 
that occurred at some point, but you may not be sure when that point was. To determine the 
best restore point to recover the original VM to, you can choose to perform a restore where 
you create a new VM. Once you've done that, you can then overwrite the existing VM with the 
known good backup. To recover a VM to a new Azure laaS VM, perform the following steps: 

1. Inthe Azure portal, navigate to Backup Center and select Restore on the Overview tab. 


2. From the Datasource Type drop-down menu, select Azure Virtual Machines and then 
select a backup instance. 
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From the list, select the VM that you wish to restore and select Continue. 


You will be presented with a list of restore points from which you can restore. 

Choose the known good state to restore from and then select Create New Restore 
Configuration. 

In the Virtual Machine Name section, specify a new VM name that is unique to the 
subscription. 

In the Resource Group section, either select an existing resource group for the laaS VM 
or choose a new resource group for the VM. 


In the Virtual Network section, select the virtual network you wish to connect the 
VM to and then select the subnet to which you wish to connect the VM's network 
adapters. 


Specify the staging location storage account that the VM data will be recovered to as 
during the restoration process and then select Restore to restore the VM. 


Restore VM disks 


Another option you have when performing a restoration is rather than restoring the VM in its 
entirety, you can create a separate disk from a restore point and then perform the following 
actions using the disk: 


Use a custom template generated using the restore operation to trigger the deploy- 
ment of a new VM. You might do this if you wanted to have the restored VM bea 
different SKU from the one that was originally backed up. 


Attach the restored disk to an existing VM. 


Create a new VM from the restored disk using PowerShell. 


To restore VM disks, perform the following steps: 


1. 


2. 


In the Azure portal, navigate to Backup Center and select Restore on the Overview tab. 


From the Datasource Type drop-down menu, select Azure Virtual Machines and then 
select a backup instance. 


From the list, select the VM that you wish to restore and select Continue. 


You will be presented with a list of restore points from which you can restore. 
Choose the known good state to restore from and then select Create New Restore 
Configuration. 


From the Restore Type drop-down menu, select Restore Disks. 
Select a resource group for the restored disk or disks or create a new resource group. 


Choose a storage account to host the staging location for the restored virtual hard 
disks. 


Skill 3.1: Manage backup and recovery for Windows Server 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


139 


140 


You also have the option when performing this restore type of replacing an existing disk on 
an laaS VM instead of restoring the disks to a separate location. 


NEED MORE REVIEW? AZURE VM RESTORES 


You can learn more about Azure VM restores at https://docs.microsoft.com/en-us/azure/ 
backup/about-azure-vm-restore. 


Restore encrypted VM 
Azure Backup can restore an encrypted VM under the following conditions: 


m Azure Disk Encrypted (ADE) laaS VMs can be backed up and restored in the same 
subscription. 


m You can back up and restore VMs encrypted using standalone keys. You cannot use an 
encryption key that is part of a certificate used to encrypt a VM. 


m You cannot perform a file- or folder-level restore of an ADE laaS VM. It is necessary to 
restore the entire VM. 


m Itis only possible to restore a VM to a new instance, and you can’t replace an existing 
ADE laaS VM with a restored ADE laaS VM. 


NEED MORE REVIEW? RESTORE ENCRYPTED VM 


You can learn more about restoring an encrypted VM at https://docs.microsoft.com/en-us/ 
azure/backup/restore-azure-encrypted-virtual-machines. 


Restore individual files 


Rather than restoring an entire VM, you might only need to restore a set of specific files to an 
Azure laaS VM. If you've only been protecting the VM with Azure Backup and not the MARS 
agent, to restore the files you'll need to generate and use a file recovery script. You then run 
the recovery script, which will connect the VM to the recovery point and mount that recovery 
point as a local volume. Once the recovery point is mounted as a local volume on the Windows 
Server laaS VM, you will be able to copy the recovered files from the recovery point to the local 
computer. Once the files are copied across, you can dismount the mounted volume that con- 
nects you to the recovery point. 


If you've been using the MARS agent to back up the file, you can connect to the VM and use 
Microsoft Azure Backup to recover the files you need from a recovery point stored in Azure. To 
do this, perform the following steps: 


1. Run Microsoft Azure Backup on the computer on which you wish to recover files. 


2. Select Recover Data. Choose the server from which you want to recover data and select 
the Individual Files and Folders recovery mode. 
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3. Onthe Select Volume and Data page, select the volume that hosts the files that you 


wish to restore and the backup point date from which you wish to restore. 


4. The recovery volume will be mounted, and you will be able to select Browse to open 
Windows Explorer, allowing you to view the files you wish to recover that can then be 


copied across to the computer on which you are recovering them. 


5. Once you have completed the recovery of files, you can select Unmount in the Recover 


Data Wizard of Azure Backup. 


NEED MORE REVIEW? RESTORE INDIVIDUAL FILES 


You can learn more about restoring individual files at https://docs.microsoft.com/en-us/azure/ 


backup/tutorial-restore-files#generate-file-recovery-script. 


EXAM TIP 


Remember that you need to deploy Microsoft Azure Backup Server when backing up an on- 
premises server that has the Hyper-V role installed if you want to back up Hyper-V virtual 


machines or perform a bare-metal restore. 


Skill 3.2: Implement disaster recovery by using Azure 


Site Recovery 


Azure Site Recovery provides you with the ability to use Azure as a disaster recovery site or asa 
mediator in the disaster recovery process on failing over physical and virtual server workloads 
to asecondary site. Azure Site Recovery has many constituent parts, and how you configure 
and use Azure Site Recovery depends on the nature of the workload you are protecting and 


the type of recovery you choose to implement. 


This section covers how to: 


Understand Azure Site Recovery 

Configure Site Recovery for on-premises VMs 
Configure a recovery plan 

Configure Site Recovery for Azure Virtual Machines 
Configure Azure Site Recovery networking 


Configure Azure Site Recovery policy 
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Understand Azure Site Recovery 


Azure Site Recovery (ASR) allows you to replicate physical and virtual machines from one site 
to a secondary location. The primary and secondary locations can be on-premises, Azure, or 
a mixture of both. ASR is designed so that when an outage occurs at the primary location, you 
can initiate a failover to the secondary location. Once you restore service to the primary loca- 
tion, you can use the failback process to return the workloads to that site. Azure Site Recovery 
integrates with Azure Backup and uses Recovery Services vaults (RSVs), which were detailed 
earlier in this chapter. 


ASR includes the following functionality: 


Set up and manage replication, failover, and failback from a primary site to a secondary 
site using a single location in the Azure portal. 


Manage disaster recovery for Azure laaS VMs from a primary region to a secondary 
region. 

Replicate on-premises VMs running under Hyper-V or VMware to Azure or a secondary 
on-premises datacenter. 

Replicate physical servers to Azure or to a secondary on-premises datacenter. 


Site recovery provides continuous replication for Azure VMs and VMware VMs. Hyper-V 
VMs can replicate as frequently as every 30 seconds. 


Support for application-consistent snapshot replication so that data in memory and 
transaction in process shift to the alternate site. 


Support for running disaster recovery drills without impacting ongoing replication of 
virtual machine data and state. 


Planned failovers can be initiated with zero loss of data. 


Unplanned failovers can be triggered with minimal data loss depending on replication 
frequency. 


Customized recovery plans allow you to orchestrate the sequence of failover and recov- 
ery for multitier applications. 


Network integration to reserve IP addresses, and configure load balancers and utiliza- 
tion of Azure Traffic Manager for efficient network switchovers. 


NEED MORE REVIEW? AZURE SITE RECOVERY OVERVIEW 


You can learn more about Azure Site Recovery at https://docs.microsoft.com/en-us/azure/ 


site-recovery/site-recovery-overview. 


Configure Site Recovery for on-premises VMs 


Azure Site Recovery allows you to replicate on-premises VMs and physical servers to Azure. 
In the event that a failure occurs at the on-premises site, you can spin up the replicated VMs 


142 


Implement disaster recovery 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


in Azure and host the workloads there. Once service is restored to the on-premises location, 
you can fail the workloads back to the on-premises location. ASR also supports managing the 
replication of Hyper-V VMs from one on-premises datacenter to another as long as those VMs 
are deployed on host servers configured in a Virtual Machine Manager (VMM) cloud. ASR can 
be used as a migration method to Azure. You will learn more about migration in Chapter 4, 
“Migrate Servers and Workloads.” 


You can configure site recovery for on-premises VMs as long as you have an RSV, a storage 
account, and a virtual network. The vault, storage account, and virtual network must be in the 
same region as each other. The Azure account used to configure ASR needs to have permis- 
sions to create a new Azure VM in the resource group and on the virtual network that is speci- 
fied when configuring ASR. The account also needs write permissions to the storage account 
used by ASR. 


If Hyper-V hosts are located in a VMM cloud, you orchestrate replication to Azure using 
VMM. You do this after installing the ASR provider on the VMM server and deploying the ASR 
agent on each individual Hyper-V host. You can use VMM to map VMM logical/VM networks 
to Azure Virtual networks. 


If Hyper-V hosts are not located associated with a VMM deployment, when configuring 
ASR, you add Hyper-V hosts and clusters into special Hyper-V sites. You then install the ASR 
Provider and the Recovery Services agent on each Hyper-V host. When configuring ASR for a 
cluster, ensure that all nodes in the cluster are registered with the same RSV. 


While ASR and Hyper-V Replica can be configured for the same virtual machine, you need to 
protect the Hyper-V Replica primary as a physical machine using an ASR Configuration/Process 
server. Hyper-V Replica is supported, but VM instances configured for extended replication 
are not. 


The process of failover to Azure follows these general steps: 
m Ifyou are performing a planned failover, source VMs will shut down. This ensures that 
no data is lost. 
m Unplanned failover can be performed from Azure if the primary site is not accessible. 
m You can perform failover of a single VM. 
m You can create a recovery plan that orchestrates the failover of multiple machines. 
Failover is not automatic and is performed either in the portal or by using PowerShell. 
Failover occurs in two phases. During the first phase, replica VMs are created in Azure. You can 
also assign public IP addresses to the Azure laaS VMs. In the second phase, you commit to the 
failover and begin accessing the workload hosted on the VM replicas hosting in Azure. 


Failback occurs in three stages. In the first stage, you perform a planned failback from Azure 
to the on-premises site. You can use Site Recovery to synchronize data before failover, and then 
you specify that failover should complete. This shuts down the VM in Azure and the failover 
occurs. You also have the option in the first stage of performing a full data disk download. This 
requires that the VM in Azure be offline for a longer period of time, but it’s more appropriate if 
the on-premises VM is corrupted or has been lost or the VMs in Azure have been running for a 
substantial period and the state has changed more dramatically. 
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In the second stage, you choose to fail back to the same VM or to an alternate VM. ASR 
can create a VM if it does not already exist. Once the synchronization completes and you have 
ascertained that the on-premises VMs are functioning as expected, you complete the failover. 
Once workloads have completely failed back to the primary sites, you enable reverse replica- 
tion. This will start replicating on-premises workloads to Azure so you can fail over in the future 
as required. 


NEED MORE REVIEW? PREPARE ON-PREMISES HYPER-V FOR SITE RECOVERY 


You can learn more about preparing on-premises Hyper-V for Site Recovery at https:// 
docs.microsoft.com/en-us/azure/site-recovery/hyper-v-prepare-on-premises-tutorial. 


Configure a recovery plan 


Recovery plans organize machines into recovery groups during ASR failover. You use a recov- 
ery plan to ensure that failover operations occur in a specific order. The recovery plan allows 
you to create individual units that can fail over, with each unit generally representing an app in 
the environment. Recovery plans have the following elements: 


m They define how VMs fail over and the sequence in which failover occurs. 
m They can be used to fail over and fail back from Azure. 

m Recovery plans support up to 100 protected instances. 

m Recovery plans can include instructions and tasks. 

m You can run failovers using recovery plans. 


m Asingle system can be referenced by multiple recovery plans. If a system has already 
failed over using a prior recovery plan, it will be skipped by a new recovery plan. 


m You can replace manual actions in recovery plans with Azure automation runbooks. 


NEED MORE REVIEW? RECOVERY PLANS 


You can learn more about recovery plans at https://docs.microsoft.com/en-us/azure/ 
site-recovery/recovery-plan-overview. 


Configure Site Recovery for Azure virtual machines 


You can use ASR to manage the process of replicating and failing over Azure laaS VMs from 
one Azure datacenter to another. Replication is continuous when replicating laaS VMs to 
another azure region. 


To configure ASR for an Azure VM, perform the following steps: 
1. Select the laaS VM you wish to replicate. 


2. Inthe Operations section, select Disaster recovery. 
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3. On the Basics tab, select the target region to which you wish to replicate the VM. 


4. Select Review + Start replication. Replication will occur according to the default ASR 
laaS VM replication policy. 

ASR replication policies define the retention history of ASR recovery points. The default 
replication policy retains recovery points for one day and application-consistent snapshots are 
disabled. You can configure an ASR recovery policy that has a longer ASR recovery point and 
that has application-consistent recovery points. Application-consistent recovery points can 
be created at a minimum frequency of one an hour. You can configure recovery points to be 
stored up to 15 days with managed disks and three days with unmanaged disks. Rather than 
specifying a longer ASR recovery point retention policy, it is generally simpler to use Azure 
Backup and cross-region restore functionality if you want to recover older versions of a repli- 
cated VM. 


ASR for Azure laaS virtual machines supports the following: 
m Replication of VMs to different subscriptions associated with the same Azure AD tenant. 


= VMs that have Azure Disk Encryption (ADE) enabled. Replication will copy the required 
disk encryption keys and secrets from the source region to the target region using the 
user context. If the account configuring ASR doesn’t have the appropriate security, it's 
also possible for a person with the required permissions to script the transfer of keys and 
secrets. 


m Azure laaS VM disks can be excluded from replication. 
m Azure laaS VM disks can be added to a VM replication configuration. 


ASR for laaS VMs between regions does not support the VM retaining the same public IP 
address after failover. As public IP addresses are specific to each Azure region, a new one will 
be assigned after failover. laaS VMs can retain their private IP address information. 


NEED MORE REVIEW? AZURE DISASTER RECOVERY ARCHITECTURE 


You can learn more about Azure disaster recovery architecture at https://docs.microsoft.com/ 
en-us/azure/site-recovery/azure-to-azure-architecture. 


Configure Azure Site Recovery networking 


When configuring ASR replication between Azure sites, you should create a network service 
endpoint in the virtual network that hosts the VMs that you are protecting to ensure that 
replication traffic does not leave the Azure boundary. You should also configure IP addressing 
between the primary and target virtual networks prior to enabling replication. 


To configure network mapping, perform the following steps. 
1. In the Site Recovery infrastructure section of the RSV, select Network mapping. 


2. Adda network mapping and then specify the source virtual network and the target 
virtual network. 
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If you don't create a network mapping prior to configuring disaster recovery for Azure laaS 
VMs, you can specify a target network when you configure replication. When you do this, a 
mapping is automatically created and a network in the target region that is identical to the 
source network is created. This target network will have the -asr suffix. 

The subnet assigned within the virtual network for the target VM will be selected based 
on the name of the subnet for the source VM. If there is no subnet in the target network that 
has the same name as a subnet in the source network, then the first subnet in alphabetical 
order in the target network will be assigned to the VM. If the source and destination sub- 
nets are configured with the same address space, then the source and destination laaS VMs 
will have the same IP addresses. If the source and destination subnets have different address 
spaces, the target VM will be assigned the next available IP address in the target subnet. 

If the NIC of the source laaS VM is configured to use DHCP, the target laaS VM’'s NIC will 
also be configured to use DHCP. If the NIC on the source laaS VM is configured with a static IP 
address, the NIC on the target laaS VM will also be configured to use a static IP address. This 
also applies to the secondary IP address configurations of VMs. 


NEED MORE REVIEW? NETWORKING AND SITE RECOVERY 


You can learn more about site recovery networking at https://docs.microsoft.com/azure/ 
site-recovery/azure-to-azure-about-networking. 


Configure Azure Site Recovery policy 


Rather than configuring ASR for resources on a workload by workload basis, you can use 
Azure Policy to configure ASR for workloads at scale. This allows you to ensure that all critical 
workloads are protected, a much better strategy than figuring out after a disaster occurs that a 
workload you thought was protected had yet to be configured for ASR. 


Once you create a policy that configures disaster recovery and apply it at the management 
group, subscription, or resource group levels, all new laaS VMs that you deploy will have ASR 
enabled automatically. You can also use Azure Policy’s remediation functionality to enable ASR 
through policy for existing VMs that do not have ASR enabled. 


Policies related to ASR for laaS VMs are supported for the following configuration elements: 
m Managed disks where the OS disk is between 1 GB and 4 TB; data disks up to 32 TB 

m Up to 100 disks per VM 

m laaS VMs configured for availability sets 

m laaS VMs configured for availability zones 


Policies related to ASR for laaS VMs are not supported if the laaS VMs have the following 
configuration elements: 


m Unmanaged disks 
m Ultra disks 
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Azure Disk Encryption—enabled VMs 
Customer-managed key (CMK)-enabled disks 


m Storage Spaces Direct (S2D) clusters 


m Virtual machine scale sets 


Configuring an Azure Policy related to ASR involves performing the following general steps: 


1. In the Azure portal, navigate to Azure Policy and then use the Assign policy option 
to assign a new policy to a specific scope. Generally, you will choose to do this at the 
Subscription or the Resource Group level, but it is possible to also do this across multiple 


subscriptions using management groups. 


2. When configuring the policy definition, select the existing Configure disaster recovery 
on virtual machines by enabling replication via Azure Site Recovery policy definition. 


3. In the Assign Policy workflow, provide the following ASR related parameters: 


Source region Where the primary laaS VMs are located 
Targetregion ASR failover region for laaS VMs 

Target Resource Group Resource group for failover laaS VMs 
Vault Resource Group Resource group that hosts ASR RSV 
Recovery Services Vault RSV that hosts ASR data 


Recovery Virtual Network Virtual network to which failover laaS VMs will 
connect 


Cache storage account Storage account used for replicated cache data 
Tag Name Tag for protected resources 

Tag Values Values for tags applied to failover laaS VMs 

Tag Type Type of tag to apply to failover laaS VMs 


Effect Allows you to specify whether the policy is enabled immediately after 
creation 


NEED MORE REVIEW? AZURE POLICY WITH ASR 


You can learn more about using Azure Policy with ASR at https://docs.microsoft.com/en-us/ 


azure/site-recovery/azure-to-azure-how-to-enable-policy. 


EXAM TIP 


Remember that you can replace a manual action in an Azure Site Recovery plan with an 


Azure Automation Runbook. 
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Skill 3.3: Protect virtual machines by using 
Hyper-V Replica 


Hyper-V Replica allows you to stream a virtual machine's contents from one Hyper-V host to 
another. Replication provides you with the option of switching a workload's operation from the 
primary VM to the replica VM in the event that the primary host fails or you need to take the 
original host. Unlike failover clustering, which you would use to ensure high availability in the 
event of a cluster node failure, Hyper-V Replica is a disaster recovery technology that allows 
you to quickly restore a workload to functionality in the event of a complete cluster or site 
failure. 


This section covers how to: 

m Understand Hyper-V Replica 

= Configure Hyper-V hosts for replication 
m Manage Hyper-V Replica servers 

= Configure VM replication 


m Perform a failover 


Understand Hyper-V Replica 


Hyper-V Replica provides a replica of a VM running on one Hyper-V host that can be stored 
and updated on another Hyper-V host. For example, you could configure a VM hosted ona 
Hyper-V failover cluster in Melbourne to be replicated through Hyper-V Replica to a Hyper-V 
failover cluster in Sydney. Hyper-V Replica allows for replication across site boundaries and 
does not require access to shared storage in the way that failover clustering does. 


Hyper-V Replica is asynchronous. While the replica copy is consistent, it is a lagged copy 
with changes sent only as frequently as once every 30 seconds. Hyper-V Replica supports 
multiple recovery points, with a recovery snapshot taken every hour. (This incurs a resource 
penalty, so the setting is off by default.) This means that when activating the replica, you can 
choose to activate the most up-to-date copy or a lagged copy. You would choose to activate 
a lagged copy in the event that some form of corruption or change made the up-to-date copy 
problematic. 


When you perform a planned failover from the primary host to the replica, you need to 
switch off the primary host. This ensures that the replica is in an up-to-date and consistent 
state. This is a drawback compared to failover or live migration, where the VM will remain avail- 
able during the process. A series of checks are completed before performing planned failover 
to ensure that the VM is off, that reverse replication is allowed back to the original primary 
Hyper-V host, and that the state of the VM on the current replica is consistent with the state of 
the VM on the current primary. Performing a planned failover will start the replicated VM on 
the original replica, which will now become the new primary server. 
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Hyper-V Replica also supports unplanned failover. You perform an unplanned failover in 
the event that the original Hyper-V host has failed or the site that hosts the primary replica has 
become unavailable. When performing an unplanned failover, you can choose either the most 
recent recovery point or a previous recovery point. Performing unplanned failover will start the 
VM on the original replica, which will now become the new primary server. 


Hyper-V extended replication allows you to create a second replica of the existing replica 
server. For example, you could configure Hyper-V replication between a Hyper-V virtualization 
host in Melbourne and Sydney, with Sydney hosting the replica. You could then configure an 
extended replica in Brisbane using the Sydney replica. 


Configure Hyper-V hosts for replication 


To configure Hyper-V Replica, you must configure the Replication Configuration settings. The 
first step is to select Enable This Computer As A Replica Server. Next, select the authenti- 
cation method you are going to use. If the computers are parts of the same Active Directory 
environment, you can use Kerberos. When you use Kerberos, Hyper-V replication data isn't 
encrypted when transmitted across the network. When using Kerberos on the default port to 
replicate virtual machines, ensure that you enable the Hyper-V Replica HTTP Listener (TCP-In) 
rule in Windows Defender Firewall with Advanced Security. 


If you are concerned about encrypting network data, you could configure IPsec. If you 
are concerned about encrypting replication traffic, another option is to use certificate-based 
authentication. This is useful if you are transmitting data across the public internet without 
using an encrypted VPN tunnel. When using certificate-based authentication, you'll need to 
import and select a public certificate issued to the partner server. 


The final step when configuring Hyper-V Replica is to select the servers from which the 
Hyper-V virtualization host will accept incoming replicated VM data. One option is to have the 
Hyper-V virtualization host accept replicated VMs from any authenticated Hyper-V virtualiza- 
tion host, using a single default location to store replica data. The other option is to configure 
VM replica storage on a per-server basis. For example, if you wanted to store VM replicas from 
one server on one volume and VM replicas from another server on a different volume, you'd 
configure VM replica storage on a per-server basis. 


Once replication is configured on the source and destination servers, you'll also need to 
enable the predefined firewall rules to allow the incoming replication traffic. There are two 
rules: one for replication using Kerberos (HTTP) on port 80 and the other for using certificate- 
based authentication on port 443. 


You need to configure and deploy Hyper-V Replica Broker if your Hyper-V Replica con- 
figuration includes a Hyper-V failover cluster as a source or destination. You don’t need to 
configure and deploy Hyper-V Replica Broker if both the source and destination servers are 
not participating in a Hyper-V failover cluster. You install the Hyper-V Replica Broker role using 
Failover Cluster Manager after you've enabled the Hyper-V role on cluster nodes. You specify 
the name of the Hyper-V Replica Broker when configuring the name of the replication target. 
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NEED MORE REVIEW? CONFIGURE HYPER-V REPLICA 


You can learn more about setting up Hyper-V Replica at https://docs.microsoft.com/en-us/ 
windows-server/virtualization/hyper-v/manage/set-up-hyper-v-replica. 


Manage Hyper-V Replica servers 


Beyond ensuring that the appropriate network traffic rules are configured, the process of man- 
aging Hyper-V Replica servers is similar to managing Hyper-V standalone servers. You want to 
ensure that the primary and the replica server are configured and provisioned in a similar way 
so that virtual machine workloads retain the same functionality independent of which Hyper-V 
server hosts them. You should also ensure that both the primary and the replica server configu- 
ration are optimized for virtualized workloads. This includes ensuring that memory settings are 
optimized, that virtual processors are allocated appropriately, and that virtual machine storage 
is on a disk or storage device that is separate from the disk that hosts the operating system 
volume. 


Smart paging 

Smart paging is a special technology in Hyper-V that functions in certain conditions when a VM 
is restarting. Smart paging uses a file on the disk to simulate memory to meet Startup Memory 
requirements when the Startup Memory setting exceeds the Minimum Memory setting. 
Startup Memory is the amount of memory allocated to the VM when it starts, but not when it 
is in arunning state. For example, you could set Startup Memory to 2,048 MB and the Mini- 
mum Memory to 512 MB for a specific virtual machine. In a scenario where 1,024 MB of free 
memory was available on the virtualization host, smart paging would allow the VM to access 
the required 2,048 MB of memory. 


Because smart paging uses disk to simulate memory, it’s only active if the following three 
conditions occur at the same time: 

= The VM is being restarted. 

m There is not enough memory on the virtualization host to meet the Startup Memory 

setting. 

= Memory cannot be reclaimed from other VMs running on the same host. 

Smart paging doesn’t allow a VM to perform a “cold start” if the required amount of Startup 
Memory is not available but the Minimum Memory amount is. Smart paging is used only when 
a VM that was already running restarts and those three conditions have been met. From the 


perspective of performing replica failover, a VM will be “cold starting” rather than restarting 
because until the failover occurs, the VM is in a stopped state. 


You can configure the location of the smart paging file on a per-VM basis. By default, smart 
paging files are written to the C:\ProgramData\Microsoft\Windows\Hyper-V folder. The smart 
paging file is created only when needed and is deleted within 10 minutes of the VM restarting. 
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VM CPU groups 


VM CPU groups allow you to isolate VM groups to specific host processors; for example, ona 
multi-processor Hyper-V host, you might choose to allow a group of VMs exclusive access to 
specific processor cores. This can be useful in scenarios where you must ensure that different 
VMs are partitioned from one another, with Hyper-V network virtualization providing com- 
pletely separate tenant networks and VM CPU groups ensuring that separate VM groups never 
share the same physical CPUs. 


CPU groups are managed through the Hyper-V Host Compute Service (HCS). You cannot 
directly manage CPU groups through PowerShell or the Hyper-V console and instead need to 
download the cpugroups.exe command-line utility from the Microsoft Download Center. You 
can use this utility on the primary and replica servers to ensure that VM workloads are allo- 
cated to specific CPU groups after failover. 


Storage QoS 


Storage Quality of Service (QoS) allows you to limit the maximum number of IOPS (input/out- 
put operations per second) for virtual hard disks. IOPS are measured in 8 KB increments. If you 
specify a maximum IOPS value, the virtual hard disk will be unable to exceed this value. You use 
Storage QoS to ensure that no single workload on a Hyper-V virtualization host consumes a 
disproportionate amount of storage resources. 


It's also possible to specify a minimum IOPS value for each virtual hard disk. You would 
do this if you wanted to be notified that a specific virtual hard disk's IOPS has fallen below a 
threshold value. When the number of IOPS falls below the specified minimum, an event is writ- 
ten to the event log. You configure Storage QoS on a per-virtual hard disk basis. 


Deduplication 


In Windows Server 2019 and later, both ReFS and NTFS volumes support deduplication. Dedu- 
plication is a process by which duplicate instances of data are removed from a volume and 
replaced with pointers to the original instance. Deduplication is especially effective when used 
with volumes that host virtual hard disk files because many of these files contain duplicate cop- 
ies of data, such as the VM's operating system and program files. 

Once installed, you can enable deduplication through the Volumes node of the File and 
Storage Services section of the Server Manager Console. When enabling deduplication, you 
specify whether you want to use a general file server data deduplication scheme or a virtual 
desktop infrastructure (VDI) scheme. For volumes that host VM files, the VDI scheme is appro- 
priate. You can’t enable deduplication on the operating system volume; deduplication may 
only be enabled on data volumes. 


Storage tiering 


Storage tiering is a technology that allows you to mix fast storage, such as solid-state disk 
(SSD), with traditional spinning magnetic disks to optimize both storage performance and 
capacity. Storage tiering works on the premise that a minority of the data stored on a volume 
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is responsible for the majority of read and write operations. Storage tiering can be enabled 
through the storage spaces functionality, and rather than creating a large volume that consists 
entirely of SSDs, you create a volume consisting of both solid-state and spinning magnetic 
disks. In this configuration, frequently accessed data is moved to the parts of the volume 
hosted on the SSDs, and less frequently accessed data is moved to the parts of the volume 
hosted on the slower spinning magnetic disks. This configuration allows many of the per- 
formance benefits of an SSD-only volume to be realized without the cost of using SSD-only 
storage. 


When used in conjunction with deduplication, frequently accessed deduplicated data is 
moved to the faster storage, providing reduced storage requirements, while improving per- 
formance over what would be possible if the volume hosting VM files were solely composed 
of spinning magnetic disks. You also have the option of pinning specific files to the faster 
storage, such as those used for virtual machine hard disk, which overrides the algorithms that 
move data according to accumulated utilization statistics. You configure storage tiering using 
PowerShell. 


NEED MORE REVIEW? BOTTLENECKS IN VIRTUALIZED ENVIRONMENTS 


You can learn more about bottlenecks in virtualized environments at https:// 
docs.microsoft.com/en-us/windows-server/administration/performance-tuning/role/ 
hyper-v-server/detecting-virtualized-environment-bottlenecks. 


Configure VM replication 


After you have configured the source and destination replica servers, you have to configure 
replication on a per-VM basis. You do so by running the Enable Replication Wizard, which you 
can trigger by selecting Enable Replication when the VM is selected in Hyper-V Manager. To 
configure VM replicas, you must perform the following steps: 


= Select Replica Server Select the replica server name. If you are replicating to a 
Hyper-V failover cluster, you'll need to specify the name of the Hyper-V Replica Broker. 


= Choose Connection Parameters Specify the connection parameters. The options 
will depend on the configuration of the replica servers. On this page, depending on the 
existing configuration, you can choose the authentication type and whether replication 
data will be compressed when transmitted over the network. 

= Select Replication VHDs When configuring replication, you have the option of not 
replicating some of a VM’s virtual hard disks. In most scenarios, you should replicate all 
of a VM's hard disk drives. One reason not to replicate a VM's virtual hard disk would be 
if the virtual hard disk only stores frequently changing temporary data that wouldn't be 
required when recovering the VM. 


Implement disaster recovery 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


= Replication Frequency Use this page to specify the frequency with which changes 
are sent to the replica server. You can choose between intervals of 30 seconds, 
5 minutes, and 15 minutes. 


= Additional Recovery Points You can choose to create additional hourly recovery 
points. Doing so gives you the option of starting the replica from a previous point in 
time rather than the most recent. The advantage is that this allows you to roll back to 
a previous version of the VM in the event that data corruption occurs and the VM has 
replicated to the most recent recovery point. The replica server can store a maximum of 
24 recovery points. 


= Initial Replication The last step in configuring Hyper-V Replica is choosing how to 
seed the initial replica. Replication works by sending changed blocks of data, so the 
initial replica, which sends the entire VM, will be the largest transfer. You can perform an 
offline transfer with external media, use an existing VM on the replica server as the ini- 
tial copy (the VM for which you are configuring a replica must have been exported and 
then imported on the replica server), or transfer all VM data across the network. You can 
perform replication immediately or at a specific time in the future, such as 2 a.m. when 
network utilization is likely to be lower. 


NEED MORE REVIEW? EXTENDED REPLICATION 


You can learn more about extended replication at https://docs.microsoft.com/en-us/ 
virtualization/community/team-blog/2013/20131209-hyper-v-replica-extend-replication. 


Perform a failover 


There are three types of failover that you can perform with Hyper-V Replica: test failover, 
planned failover, and unplanned failover. 


m Test failover is a special operation that you can perform on a replica virtual machine 
that allows you to verify the integrity of the virtualized workload without impacting the 
production workload or the ongoing replication process. You should run regular test 
failovers as part of your disaster recovery drills. You can perform test failovers only on 
the server that hosts the replica. 


m Aplanned replica failover allows you to shift VM hosting duties to the replica server 
rather than have the VM run on the primary host. Planned failover involves shutting 
down the VM, which ensures that the replica will be up to date. Contrast this with 
Hyper-V live migration, which you perform while the VM is running. When performing 
a planned failover, you can configure the VM on the replica server to automatically start 
once the process completes; you can also configure reverse replication so that the cur- 
rent replica server becomes the new primary server and the current primary becomes 
the new replica server. You can only perform a planned failover on the primary server 
and cannot perform it in the server that hosts the replica VM. 
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m You trigger an unplanned failover in the event that the primary server becomes unavail- 
able. You perform the unplanned failover on the replica server (as the primary is not 
available). When performing an unplanned failover, you can select any of the up to 24 
previously stored recovery points. In the user interface, an unplanned failover is termed 
Failover. 


NEED MORE REVIEW? REPLICA FAILOVER 


You can learn more about replica failover at https://docs.microsoft.com/en-us/virtualization/ 
community/team-blog/2012/20120725-types-of-failover-operations-in-hyper-v-replica-part-i- 
test-failover. 


EXAM TIP 


Remember on which servers in a replica pair you can perform a planned failover and on 
which you can perform an unplanned failover. 


Chapter summary 


m To back up an on-premises server to Azure, download the Recovery Services vault 
credentials. 

m Specify backup retention settings at the agent level when backing up a server using the 
MARS agent. 

m Restoring individual files from laaS VMs backed up to a Recovery Services vault requires 
that you download and run a recovery script. 

m Microsoft Azure Backup Server is required if you want to protect a Hyper-V server with 
its virtual machines or when you want to perform bare-metal recovery of a physical 
server. 

m You can replace manual actions in Azure Site Recovery plans with Azure Automation 
Runbooks. 

= To replicate physical servers from on-premises to the internet using Azure Site Recovery, 
ensure that the Site Recovery Mobility Service is installed on each physical server and 
that the Azure Site Recovery Configuration Server role is deployed on a separate server 
that is connected to the internet. 

m Hyper-V replication can replicate virtual machines between clusters and standalone 
Hyper-V servers. 

m Allow Hyper-V replication by enabling the Hyper-V Replica HTTP Listener (TCP-In) rule 
when using Kerberos authentication. 

m You perform a planned failover on the primary server and you perform the unplanned 
failover on the replica server. 
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Thought experiment 


In this thought experiment, demonstrate your skills and knowledge of the topics covered in this 
chapter. You can find answers to this thought experiment in the next section. 


Tailwind Traders is located in Melbourne, Australia and is adopting Azure backup technolo- 
gies to protect its hybrid infrastructure. Tailwind Traders hosts many of its production work- 
loads as virtual machines on a Hyper-V server named MEL-Hyperv. A separate server named 
MEL-FS1 hosts important organizational files. Some of these files contain a specific type of 
personal data that cannot be stored anywhere other than Australia. With this information in 
mind, answer the following questions: 


1. Other than deploying the MARS agent, what steps should you take to ensure that the 
VMs on MEL-HyperV are protected by Azure Backup? 


2. What tool can you use to manage backup retention of the files and folders on MEL-FS1? 


3. What type of redundancy should you configure for the RSV? 


Thought experiment answers 


This section contains the solution to the thought experiment. Each answer explains why the 
answer choice is correct. 


1. You need to deploy Azure Backup Server in addition to the MARS to protect the VMs on 
an on-premises Hyper-V server. 


2. You use the MARS agent on MEL-FS1 to manage the backup retention properties of 
backups taken on that server. 


3. ZRS is appropriate for workloads that require high data durability but also require the 
backup data to be kept in a specific geographic location. 
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Migrate servers and 
workloads 


Migration involves not only having workloads shifting from on-premises to Azure, but also 
involves moving workloads from older versions of Windows Server to the current version of 
Windows Server. Each type of workload, from storage workloads to virtual machines and web 
applications and even Active Directory, requires a different set of migration technologies 

and tools. 


Skills covered in this chapter: 
m Skill 4.1: Migrate on-premises storage to on-premises servers or Azure 
m Skill 4.2: Migrate on-premises servers to Azure 
m Skill 4.3: Migrate workloads from previous versions to Windows Server 2022 
m Skill 4.4: Migrate IIS workloads to Azure 
m Skill 4.5: Migrate an AD DS infrastructure to Windows Server 2022 AD DS 


Skill 4.1: Migrate on-premises storage to on-premises 
servers or Azure 


An advantage of moving to the cloud is that for a price it does provide functionally limitless 
storage. This lack of limitation reduces the necessity for organizations to spend time decid- 
ing what data to keep, what data can be deleted, what data to move off site, and whether 

to extend existing on-premises storage infrastructure. This objective deals with migrating 
shared folders and files from older versions of Windows Server to newer versions of Windows 
Server as well as how to migrate files and folders to laaS VMs and Azure File Shares. 


This section covers how to: 

m Transfer data and shares 

= Cut over to a new server by using Storage Migration Service 

m Use Storage Migration Service to migrate to Azure Virtual Machines 


= Migrate to Azure File Shares 
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Transfer data and shares 


Storage Migration Service is a role service included in Windows Server 2019 and later that 
leverages Windows Admin Center to allow you to inventory the settings and data of a source 
file server, transfer the files and settings to a destination server, and then configure the des- 
tination server with the settings and identity that were present on the source server. Storage 
Migration Service allows you to: 


Inventory multiple servers and the data they store 
Quickly transfer files, file shares, and security settings from source servers 


Apply the identity of the source server to the destination server, including name and 
IP address settings so that users and applications do not have to alter their existing 
behavior and configuration 


While copying files and their permissions has always been something that most administra- 
tors could generally figure out how to do fairly quickly, it was often a bit more challenging to 
copy the settings of the shared folders that hosted those files. Storage Migration Service allows 
you to migrate all the flags, settings, and security settings of SMB file shares. The flags that 
Storage Migration Service migrates include: 


Share State 
Availability Type 

Share Type 

Folder Enumeration Mode (aka Access-Based Enumeration [ABE]) 
Caching Mode 
Leasing Mode 

SMB Instance 

CA Timeout 
Concurrent User Limit 
Continuously Available 
Description 

Encrypt Data 

Identity Remoting 
Infrastructure 

Name 

Path 

Scoped 

Scope Name 


Security Descriptor 
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m Shadow Copy 
= Special 
m Temporary 


There are some limitations to what you can transfer using Storage Migration Service. These 
include not allowing you to migrate the following folders and files: 


= Windows, Program Files, Program Files (x86), Program Data, Users, $Recycle.bin, 
Recycler, Recycled, System Volume Information, $UpgDrv$, $SysReset, $Windows.~BT, 
$Windows.~LS, Windows.old, boot, Recovery, Documents and Settings, pagefile.sys, 
hiberfil.sys, swapfile.sys, winpepge.sys, config.sys, bootsect.bak, bootmgr, and bootnxt 


m Any file or folder on the source server that conflicts with folders assigned the exclusion 
designation folders on the destination server 


You can't use Storage Migration Service to migrate file servers that are members of sepa- 
rate domains. You also can’t use Storage Migration Service to migrate file servers between 
workgroups. 


Storage Migration Service Orchestrator 


Storage Migration Service Orchestrator servers manage the migration process. You can install 
the Orchestrator on a specific Windows Server instance if you are performing multiple migra- 
tions or deploy the service on instances that are participating in the migration if they are run- 
ning Windows Server 2019 or later. 

It's important to note, especially if you are building your own test lab, that you can’t deploy 
the Storage Migration Service Orchestrator from a host installed using the Evaluation version 
of Windows Server. To install the Orchestrator service on a computer, open Windows Admin 
Center and select Storage Migration Service. 

Storage Migration Service requires that the following rules be enabled in Windows Firewall 
for all computers participating in the operation: 


File and Printer Sharing (SMB-In) 


Netlogon Service (NP-In) 
m Windows Management Instrumentation (DCOM-In) 
m Windows Management Instrumentation (WMI-In) 


If you are using a third-party firewall product, ensure that you open TCP ports 135, 445, and 
1025-65535. The service ports are TCP 28940 for the Orchestrator and TCP 28941 for the Proxy. 


To perform a migration, you need access to the credentials of accounts with the following 
permissions: 


m Administrator permissions on the source and destination computer 


m Administrator permissions on the computer that hosts the Storage Migration Service 
Orchestrator role 
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Inventory source servers 


The first step in migrating file shares from one server to another is to inventory the source 
servers to discover what shares are present, what files and folders are present, and all of the 
identity information related to the source server. To do this, perform the following steps: 


1. Using Windows Admin Center, connect to the server on which you have installed the 
Storage Migration Service Orchestrator. 


2. Select Storage Migration Service, select New job, provide a name for the job, and then 
select OK. 


3. On the next page of the Inventory wizard, provide the credentials of an account with 
administrative privileges. This page also allows you to choose whether to migrate the 
contents of administrative shares. 


4. Select Add to start the Add A Device wizard. In this wizard, provide the hostname for the 
server that hosts the files that you wish to migrate. You can use the Add button to add 
multiple source servers on this page. 


5. When you are finished adding source servers, select Start Scan. Storage Migration 
Service will generate an inventory of the listed servers. 


6. After the inventory completes, you can select the server and view the server shares, 
configuration, network adapters, and volumes, as shown in Figure 4-1. 
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FIGURE 4-1 Inventory job results 


7. Once you have reviewed the information generated by the inventory scans, select Next 
to begin the data copy process. 
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Copy data 


The data copy process copies data from the source to the destination server. Although this 
process is sometimes termed the transfer process, it's important to note that the data is only 
copied, and it is not actually moved from one server to another. This means that if something 
goes wrong, you still have the original source server in its pre-migration condition. 


To begin the copy process, perform the following steps: 


1. 
2. 


Ensure that the firewall rules listed earlier are configured on the destination server. 


Provide the credentials of an account that has administrative rights on the destination 
server. 


Provide the address of the destination device, as shown in Figure 4-2. You can do 
this using the IP address or FQDN. Select Scan Device and the destination server will 
be inventoried. If the scan doesn’t work, verify that the firewall rules are configured 
correctly. 
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FIGURE 4-2 Add destination device 


On the Adjust Transfer Settings page, select checksum settings for transmitted files, the 
maximum duration of the transfer job, how many retries to attempt for files that fail to 
transfer properly, and the delay between transfers. 


On the Validate Source And Destination Devices page, select Validate and review any 
warnings. 


On the Start The Transfer page, select Start the transfer. You can monitor the progress 
of the transfer, as shown in Figure 4-3. 
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FIGURE 4-3 Monitor transfer 


7. When the transfer completes, you can check the error log to determine which, if any, 
files and settings failed to transfer. 


NEED MORE REVIEW? TRANSFERRING DATA AND SHARES 


You can learn more about transferring data and shares at https://docs.microsoft.com/en-us/ 
windows-server/storage/storage-migration-service/migrate-data. 


Cut over to a new server by using Storage Migration Service 


The cutover phase is an optional phase that allows you to configure the destination server to 
assume the name and identity of the source server. This is one of the most interesting aspects 
of this technology because it means that you can have Storage Migration Service create a Win- 
dows Server 2022 clone of a Windows Server 2003 server, with the Windows Server 2022 server 
assuming the network identity of the server it is replacing; this means users and applications 
aren't aware that any change has occurred. To perform the cutover, follow these steps: 


1. On the Enter Credentials page, provide administrative credentials for the source and 
destination devices. 


2. On the page with the source server name, specify how you want network identity 
information transferred from the source to the destination server. Figure 4-4 shows the 
address information assigned to the Ethernet adapter on the source computer being 
applied to the Ethernet adapter on the destination computer. You can also configure the 
source computer to be assigned a random name during the cutover process, or you can 
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have it choose a new name to ensure that there are no conflicts once the destination 
server assumes the source server's identity. 
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FIGURE 4-4 Configure cutover identity information 


After validating settings and providing any credentials required to update the Active 
Directory information for the computers that are being managed, you can perform one 
final validation, as shown in Figure 4-5. 
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FIGURE 4-5 Validate cutover configuration 
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4. You then begin the cutover by selecting Start Cutover. When the cutover completes, 
select Finish. 


NEED MORE REVIEW? SMS CUTOVER 


You can learn more about SMS cutover at https://docs.microsoft.com/en-us/windows-server/ 


storage/storage-migration-service/cutover. 


Use Storage Migration Service to migrate to Azure Virtual 
Machines 

Instead of migrating from one on-premises Windows Server instance to another, Storage 
Migration Service also provides you with the ability to migrate to a Windows Server Azure laaS 
VM instance that is created as part of the Storage Migration Service process. Clients on on- 
premises networks will connect using ExpressRoute or Site-to-Site VPN to the Azure laas file 
server. 

Before you can perform this task, the Windows Admin Center instance and Orchestrator 
service must be registered with the Azure subscription in which you wish to deploy the destina- 
tion laaS VM. The creation of the laaS VM does not require use of the Azure portal and can be 
completed from Windows Admin Center. The laaS VM process will recommend an Azure laaS 
VM size that is similar to the specifications of the source file server. 

The process will also attempt to join the Windows Server laaS VM to the same AD DS 
domain that the source server is a member of. Accomplishing this requires that AD DS be 
available to the virtual network on which the laaS VM is deployed, either through AD DS DC 
placement, Azure ExpressRoute, or a Site-to-Site VPN. DNS on the destination virtual network 
will need to point to AD DS DNS records. 


NEED MORE REVIEW? STORAGE MIGRATION SERVICE 


You can learn more about Storage Migration Service at https://docs.microsoft.com/en-us/ 
windows-server/storage/storage-migration-service/overview. 


Migrate to Azure File Shares 


The Azure File Shares feature allows clients to connect to an SMB share without requiring you 
to deploy and manage a host server. SMB Azure File Shares can be accessed over the internet 
from Windows, Linux, and macOS clients. You can back up and recover Azure File Shares using 
Azure Backup. 


Azure File Shares migration strategies 


The method that you use to migrate data to Azure File Shares depends on the volume of data. 
The following tools can be used to migrate data: 
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= Forsmall amounts of data, you can map the Azure File Shares using Windows Explorer 
and copy files as you would between a local host and a local file server. 


= Robocopy can be used to copy files and folders from an on-premises source to Azure. 
The robocopy.exe /MIR command can then be used to synchronize any changes without 
having to perform a new copy. 


m Azure File Sync can be used to synchronize an on-premises file server with an Azure File 
Share. This method is appropriate if you want to have a file server endpoint on-premises 
to allow fast access to frequently accessed files, while storing the majority of the file and 
folder data in Azure. 

m Azure Data Box can be used to move large volumes of file and folder data that would be 
impractical to copy to Azure across a network connection. Azure Data Box is covered in 
more detail later in this chapter. 


NEED MORE REVIEW? MIGRATE TO AZURE FILE SHARES 


You can learn more about migrating to Azure File Shares at https://docs.microsoft.com/en-us/ 


azure/storage/files/storage-files-migration-overview. 


AD DS authentication for Azure File Shares 


When AD DS for Azure File Shares over SMB is enabled, AD DS—joined computers are able 
to mount Azure File Shares using existing credentials. You can do this under the following 
conditions: 
m Synchronization between on-premises AD DS and Azure AD is configured through 
Azure AD Connect. The Azure File Share and the Azure AD tenancy against which syn- 
chronization is occurring must be associated with the same subscription. 


= Computers must be domain-joined to AD DS. It is possible for a user of a computer that 
is not domain-joined to access a file share enabled for AD DS if that computer has direct 
connectivity to an AD DS domain controller for the synchronized domain. 

m The storage account hosting the file shares is not configured for Azure AD DS authenti- 
cation. Azure AD DS authentication and on-premises AD DS authentication cannot both 
be used on the same storage account. 

m Clients are able to access SMB file shares on the internet over port 445. Some ISPs block 
outbound traffic on this port, so alternatives such as a VPN connection may be required. 

Once these conditions are met, you can enable AD DS for Azure File Shares over SMB by 
performing the following steps: 
1. Enable AD DS authentication on the storage account using the Join-AzStorageAccount 
cmdlet. This cmdlet creates a computer account in the AD DS domain. 
2. Assign share-level permissions to a specific synchronized identity including group 
accounts. This can be done using the New-AZRoleAssignment cmdlet by specifying the 
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RoleDefinitionName parameter set to Storage File Data SMB Share Reader, Storage File 
Data SMBE Share Contributor, or Storage File Data SMB Share Elevated Contributor 
roles. 

3. Assign NTFS file and folder permissions by mounting the Azure File Share with an 
account that has the Storage File Data SMB Share Elevated Contributor role on the 
share. Use Windows Explorer to assign permissions in the same way that you would 
assign them to files and folders in a traditional file share. 


NEED MORE REVIEW? MIGRATE TO AZURE FILE SHARES 


You can learn more about AD DS authentication for Azure File Shares at https://docs.microsoft.com/ 
en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable. 


Migrate files using Azure Data Box 


Azure Data Box allows you to transfer extremely large volumes of data from your on-premises 
servers to Azure. Each Data Box storage device has a maximum capacity of 80 TB. You can 
order a Data Box device from the Azure portal. Once it arrives, you copy data from local serv- 
ers to the device and ship the device back to Microsoft. Once the device arrives at the local 
Azure datacenter, the data will automatically be uploaded from the device to Azure. You will 
be notified through the Azure portal that the data copy is complete and available in a storage 
account in the Azure subscription you used to order the Data Box storage device. Once you 
have verified that the data is present in the Azure storage account, the Data Box will be wiped 
to National Institute of Standards and Technology (NIST) data erasure standards. 


NEED MORE REVIEW? MIGRATE FILES USING AZURE DATA BOX 


You can learn more about migrating using Azure Data Box at https://docs.microsoft.com/ 


en-us/azure/databox/data-box- overview. 


EXAM TIP 


Remember that Azure Data Box is appropriate for transferring volumes of data to Azure that 
are so large that it would take weeks or months to accomplish the same task using Storage 


Migration Service. 


Skill 4.2: Migrate on-premises servers to Azure 


This objective deals with the methods you can use to migrate Hyper-V virtual machines as 
well as physical servers running the Windows Server operating system to Azure using Azure 
Migrate. 
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This section covers how to: 

m Migrate by using Azure Migrate 

m Deploy and configure Azure Migrate appliance 
m Migrate VM workloads to Azure laaS 


a Migrate physical workloads to Azure laaS 


Migrate by using Azure Migrate 


Azure Migrate provides you with a tool to assess and migrate on-premises servers, infrastruc- 
ture, applications, and data to Azure. You use Azure Migrate to create a migration project, 
which simplifies the process of managing the assessment of workloads and performing migra- 
tions. Azure Migrate includes the following tools: 


= Azure Migrate: Discovery and Assessment Allows you to discover and assess serv- 
ers, including SQL Server and web apps deployed on Windows Server instances. 

= Azure Migrate: Server Migration Allows you to migrate Hyper-V VMs, VMware 
VMs, physical servers, and VMs in other public clouds to Azure as laaS VMs. 

= Azure Migrate: Database Assessment Allows you to assess SQL Server databases for 
migration to Azure SQL, Azure SQL managed instances, or Azure laaS VMs running SQL 
Server. 

= Azure Migrate: Database Migration Allows you to migrate on-premises databases 
to Azure SQL, Azure SQL managed instances, or Azure laaS VMs running SQL Server. 


= Azure Migrate: Web App Assessment Assess on-premises .NET and PHP web apps 
and migrate them to Azure. 


NEED MORE REVIEW? MIGRATING USING AZURE MIGRATE 


You can learn more about Azure Migrate at https://docs.microsoft.com/en-us/azure/migrate/ 
how-to-migrate. 


Azure Migrate: Discovery and Assessment tool 


The Azure Migrate: Discovery and Assessment tool leverages a lightweight Azure Migrate 
appliance that is deployed on-premises. This appliance can run on a VM or physical server 
instance. It will discover on-premises servers and forward server metadata and performance 
data to the Azure Migrate service in the Azure portal. The appliance is agentless and will not 
deploy software on any discovered servers. The Azure Migrate: Discovery and Assessment 
appliance allows you to perform the following tasks: 


= Azurereadiness Perform tests to determine whether on-premises servers, SQL Serv- 
ers, and web apps have any issues that will block them from being migrated to Azure. 
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= Azuresizing Allows you to determine the size of Azure VMs, Azure SQL instances, 
and Azure VMware solution nodes required once workloads are migrated to Azure. 


= Azure cost estimation Provides a cost estimate for workloads once they are migrated 
to Azure. 


= Dependency analysis Identifies cross-server dependencies in applications that are 
hosted across multiple server instances. 


Azure Migrate: Server Migration tool 


You can use the Azure Migrate: Server Migration tool to migrate the following Windows 
Server instances to Azure. You can also use this tool to migrate Linux workloads, but as the 
AZ-801 exam deals exclusively with Microsoft technologies, Linux migration scenarios are not 
addressed in this book: 


= On-premises Hyper-V VMs Migrate VMs to Azure from Hyper-V hosts. The Server 
Migration tool uses provider agents deployed on Hyper-V hosts for migration. 

= On-premises physical servers Performa physical-to-laaS VM conversion. Server 
Migration uses a replication appliance to perform this task. 

= Web apps hosted on Windows Server Can be migrated using Azure App Service. 
Web app migration is covered in more detail later in this chapter. 

= On-premises VMware VMs Can use agentless or agent-based migration. Agentless 
migration uses the same appliance used for discovery and assessment. For agent-based 
migration, a replication appliance is used. As the AZ-801 exam deals with Microsoft 
technologies, VMware migration scenarios are not addressed in this book. 


Deploy and configure Azure Migrate appliance 


There are several methods that you can use to deploy the Azure Migrate appliance. If you're 
using Hyper-V, you can download a preconfigured virtual machine template from the Azure 
portal and import it as a virtual machine. If you need to deploy the appliance on an existing 
VM or physical server, you install the appliance using a PowerShell script. 


Download a template VHD file from the Azure portal 


In environments where you can import a new virtual machine into Hyper-V, you can acquire 
and download a new appliance by performing the following general steps: 


m Provide a name for the appliance and generate a project key in the Azure portal. 
Download a compressed Hyper-V virtual hard disk from the Azure portal. 


m Use Hyper-V to create the appliance by importing the downloaded virtual machine files. 


= Connect to the appliance and ensure that it can connect to the migration service 
in Azure. You connect to the appliance by navigating to the following web appli- 
cation hosted on the appliance host: https://appliancename:44368 or https:// 
AppliancelPAddress:44368. 
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m Using the appliance web application, register the appliance with the Azure Migrate 
project using the key you generated when creating the appliance. 


Deploy the appliance with a PowerShell script 

If you are setting up an appliance for physical servers, you can only use the script option. You 
can also use this option to deploy the appliance on an existing VM running on Hyper-V or 
VMware or on an laaS VM running in a third-party cloud. The existing Hyper-V VM or physical 
Windows Server instance will need 16 GB of memory, eight vCPUs, and approximately 80 GB 
of memory. The server that hosts the appliance will also require connectivity to the internet. 
To use the script method of deploying the Azure Migrate appliance, perform the following 
general steps: 

= Download the zipped file named AzureMigratelnstaller.zip from the Azure portal. 

m Extract the zipped file on the Windows Server host on which you will deploy the 
appliance. 

m Run the AzureMigratelnstaller.ps1 script from an elevated PowerShell prompt. The script 
will present you with several menu prompts and then deploy the appliance. Deployment 
includes the following steps: 

m Installs agents and a web application on the target Windows Server host. 

m Installs the appropriate Windows Server roles and features. This will include the 

Windows Activation Service, IIS, and PowerShell ISE. 
= Downloads and installs a custom IIS module. 
m Creates configuration and log directory and files. 
Once the appliance software is installed, you connect to the appliance by navigating to 

the following web application hosted on the appliance host: https://appliancename:44368 or 
https://AppliancelPAddress:44368 


NEED MORE REVIEW? MIGRATE APPLIANCES 


You can learn more about using a script to deploy a migrate appliance at https:// 
docs.microsoft.com/en-us/azure/migrate/deploy-appliance-script. 


Migrate VM workloads to Azure laaS 
You use the Microsoft Azure Site Recovery provider and the Microsoft Azure Recovery Service 
Agent when migrating Hyper-V VM workloads to Azure. You do not use the Azure Migrate for 
migrating Hyper-V workloads. 

Migrating Hyper-V VMs to Azure laaS VMs involves performing the following general steps: 


= Download the Hyper-V replication provider and the registration key file from the Azure 
Migrate project in the Azure portal. The registration key will be valid for five days. 
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Copy the provider setup file and the registration key file to each Hyper-V host or cluster 
node that hosts VMs that you want to migrate to Azure. Install the provider on each 
host and cluster node. During the installation process, you will need to specify the loca- 
tion of the registration key. 


In the Azure portal, navigate to the Azure Migrate project, and under Discover 
machines, ensure that you finalize registration for each Hyper-V host and cluster node 
on which you installed the provider. 


The discovery process will begin and the virtual machines associated with each Hyper-V 
host and cluster node will be represented in the portals. If you use a CSV file to import 

a server inventory to Azure Migrate, you need to ensure the following mandatory fields 
are present: Server name, Cores, OS Name, Memory (in MB). 


Choose up to 10 Hyper-V VMs to replicate to Azure. You are limited to replicating 10 VMs 
at a time. If you have performed an assessment for the VMs, you can apply the VM 

sizing and disk type recommendations. Do this by importing an existing Azure Migrate 
assessment. You can also configure laaS VM settings manually if you want to use your own 
judgment with respect to the best settings for laaS VM workloads. 


Select a target region, subscription, and resource group that will host the migrated 
Azure VMs. 

Select an Azure Storage account that will host the VM replication data during the migra- 
tion process. 

Specify which Azure virtual network and subnet the migrated VMs will connect to after 
the migration process completes. 


You have the options of choosing Azure laaS VM high availability options. You can 
choose No infrastructure redundancy, Availability Zones, or Availability Sets. 
Choose whether disk encryption will be configured for the Azure laaS VM. 
Determine if you want to apply Azure Hybrid Benefit to use existing licenses with 
Windows Server laaS VMs. 


Select which on-premises VM disks to replicate to Azure. You have the option of exclud- 
ing some disks from replication. If you do not replicate the disks, they will not be pres- 
ent in the migrated laaS VM. 


You also have the option of applying tags to laaS VMs, disks, and network adapters dur- 
ing the migration process. 


Once all these settings have been configured, you can replicate the on-premises VMs to 
Azure. Unless you configure an alternative setting, Azure Migrate will provision all resources in 
the same resource group as the migration project. 


Once the initial replication is complete, you can run a test migration. Test migrations 
allow you to determine if the migration has occurred as expected and will not impact the on- 
premises Hyper-V VMs. You should connect to and examine the test VMs extensively to ensure 
that all of the elements you expect to be present in the migrated workload are present. 
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Once you have validated the test migration workloads, you can then trigger a full migration. 
When performing the full migration, you have the option of shutting down the on-premises 
virtual machines to ensure that there is no data loss. Shutting down the on-premises virtual 
machines is not necessary to perform migration. 


Once the migration has successfully occurred, you can stop VM replication. When you stop, 
replication data will no longer be transmitted from the on-premises Hyper-V hosts or cluster 
nodes to Azure, the VM instance will be removed from the Replicating Servers count, and the 
replication state information will be removed from the storage account used to host replica- 
tion data. 


NEED MORE REVIEW? MIGRATING HYPER-V TO AZURE IAAS 


You can learn more about migrating Hyper-V to Azure laaS at https://docs.microsoft.com/ 
en-us/azure/migrate/tutorial-migrate-hyper-v. 


Migrate physical workloads to Azure laaS 


You can perform a physical-to-virtual migration that will convert a physically deployed server 
to an Azure laaS virtual machine. Prior to attempting a migration, you need to ensure that the 
existing physical server's configuration is one that is supported in Azure. You can check if the 
configuration is compatible using Azure Migrate: Discovery and Assessment. 


Installing the migration appliance involves downloading the installer and a registration key. 
The registration key is used to register the appliance with a specific Azure Migration project. 
The replication appliance used to migrate physical Windows Server instances includes the 
following elements: 


= Configuration server Configuration servers manage replication traffic between the 
on-premises environment and Azure. 


m Process server Functions asa replication gateway. Compresses and encrypts rep- 
lication traffic before transmission to Azure. The process server also hosts the Agent 
Installer, which installs the Mobility Service software. The Mobility Service must be 
installed and running on each physical server that you wish to migrate to Azure as an 
laaS VM. 


= MySQLinstance You can install MySQL manually or have the replication appliance 
automatically download and install a MySQL instance. 

Once the appliance is registered with Azure Migrate, you deploy the Mobility Service soft- 
ware by copying the installer files that are hosted on the appliance to the physical Windows 
Server instance you wish to migrate. When installing the Mobility Service, you must provide a 
passphrase associated with the appliance. You can view the passphrase by running the follow- 
ing command on the appliance: 


genpassphrase.exe -v 
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Once the Mobility Service is present on the physical server, it will appear asa server in the 
Azure Migrate project. Replicating a physical server to Azure involves the following steps: 


Specify the name of the Azure Migrate appliance you set up. 

Choose whether to use an existing migration assessment to determine the appropriate 
Azure laaS VM configuration. 

Select a target region, subscription, and resource group that will host the migrated 
Azure VMs. 

Select an Azure Storage account that will host the VM replication data during the migra- 
tion process. 

Specify which Azure virtual network and subnet the migrated VMs will connect to after 
the migration process completes. 

You have the options of choosing Azure laaS VM high availability options. You can 
choose No infrastructure redundancy, Availability Zones, or Availability Sets. 
Choose whether disk encryption will be configured for the Azure laaS VM. 

Determine if you want to apply Azure Hybrid Benefit to use existing licenses with Win- 
dows Server laaS VMs. 

Select which on-premises disks to replicate to Azure. You have the option of excluding 
some disks from replication. If you do not replicate the disks, they will not be present in 
the migrated laaS VM. 

You also have the option of applying tags to laaS VMs, disks, and network adapters 
during the migration process. 


Once initial replication is complete, you can perform the same set of tasks that you perform 
when replicating Hyper-V virtual machines. This includes performing a test migration, which 
creates test virtual machines from the replicated data, and then performing the final migration 
of the replicated servers to Azure laaS VMs. 


NEED MORE REVIEW? PHYSICAL-TO-IAAS MIGRATION 


You can learn more about migrating physical workloads to Azure laas at https:// 


docs.microsoft.com/en-us/azure/migrate/tutorial-migrate-physical-virtual-machines. 


9) EXAM TIP 


Remember that you need the project key to register an Azure Migrate appliance with Azure. 


Skill 4.3: Migrate workloads from previous versions to 
Windows Server 2022 


This objective deals with migrating a number of important workloads from computers running 
previous versions of Windows Server to Windows Server 2022. There are a variety of tools that 
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you can use to accomplish this goal, from the Windows Server Migration Tools to PowerShell 
cmdlets and tools built into consoles like Printer Management. 


This section covers how to: 

m Understand Windows Server Migration Tools 

m Migrate Internet Information Services (IIS) 

= Migrate Hyper-V hosts 

m Migrate Remote Desktop Services (RDS) host servers 
m Migrate Dynamic Host Configuration Protocol (DHCP) 


= Migrate print servers 


Understand Windows Server Migration Tools 


The Windows Server Migration Tools (WSMT) is a Windows Server feature that you can use to 
migrate a specific set of server roles, features, shared folders, operating system settings, and 
data from a source computer running Windows Server 2008 and later versions to Windows 
Server 2016, Windows Server 2019, or Windows Server 2022. 


You can use WSMT to migrate the following roles and features: 


Active Directory Certificate Services 
Active Directory Federation Services 
Active Directory Rights Management Services 
File and storage services 

Hyper-V 

Network Policy Server 

Remote Desktop Services 

Windows Server Update Services 
Cluster roles 

DHCP Server 

Web Server (IIS) 


WSMT supports: 


Migration from physically deployed operating systems to virtually deployed operating 
systems 


Server Core and Server with a GUI installation option on Windows Server 2008 R2 and 
later as the source operating system 


Server Core and Server with a GUI installation option for Windows Server 2019 and later 
as the destination operating system 
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You can’t use WSMT with Server Core on Windows Server 2008 because the .NET Frame- 
work is not available on the Server Core installation option of Windows Server 2008. WSMT can 
only be used if the source and destination operating systems are using the same Ul language. 
The system UI language is the one used when setting up the operating system. 


WSMT has the following requirements: 
= Must be deployed using an account that has local Administrator privileges on the source 
and destination servers. 
m The source server must have at least 23 MB of free space to store the WSMT deployment 
folder. 
m The source server must have the .NET Framework 3.51 installed. 


= Windows PowerShell must be present on the source server. By default, PowerShell is 
included with Windows Server 2008 R2 and later. 


You should always use the most recent version of the WSMT and migrate to the most recent 
version of the Windows Server operating system. 


Installing WSMT 


You can install WSMT on the destination server using the Instal1-WindowsFeature Migration 
PowerShell command or by installing the role using the Add Roles and Features Wizard. 
When you do this, WSMT is deployed in the %WinDir%\System32\ServerMigrationTools folder 
on the destination server. 

Once you've installed WSMT, you need to configure a deployment folder from which you 
will deploy the appropriate version of WSMT. Rather than deploy a generic version of the tools, 
deploy a version tailored for the source operating system. For example, to create a set of tools 
for a source computer running Windows Server 2012 R2, issue the following command: 


Smigdeploy.exe /package /architecture amd64 /os WS12R2 /path <path to share> 


You can either copy the contents of the deployment folder to the source computer or enact 
the tools remotely over a network connection by running smigdeploy.exe from an elevated 
command prompt. Installing the tools on a source server running the GUI option will give you a 
special migration tools PowerShell session with the title Windows Server Migration Tools. 

If you are running the tools on a computer that is configured with the Server Core installa- 
tion option, open an elevated PowerShell session and run the following command to add the 
WSMT cmdlets: 


Add-PSSnapin Microsoft.Windows.ServerManager.Migration 


Migrate Internet Information Services (IIS) 


This section addresses migrating IIS websites to servers running Windows Server 2022 from 
earlier versions of Windows Server. Later in this chapter, you will learn how to migrate IIS web- 
sites to Azure Web Apps and containers. 
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You can migrate IIS websites using the Web Deployment Tool, also known as Web Deploy. 
Web Deploy is available from the Microsoft Download Center. To migrate a website from one 
version of IIS running on an earlier version of Windows Server to IIS running on Windows 
Server 2022, perform the following steps: 


1. 


2; 


Install Web Deploy on the source and destination servers. 


Determine the dependencies of the website on the source server using the following 
command on the source server: 


msdeploy.exe -verb:getDependencies -source:metakey=1m/w3svc/1. 


Use the generated list of dependencies to determine what you should deploy on the 
destination Windows Server IIS host. 


You can back up the source server using the following command from an elevated 
command prompt or use the Web Deploy GUI from the IIS Manager console: 


ywindir%\system32\inetsrv\appcmd add backup "PreWebDeploy" 
Create a package file of the source server using the following command: 


msdeploy -verb:sync -source:metakey=Im/w3svc/1 -dest:package=c:\WebSitel.zip > 
WebDeployPackage. log 

After you transfer the package to the destination server running Windows Server 2022 
and install Web Deploy on that server, you can use the following command to extract 
the package and install the website and settings on the new host: 


msdeploy -verb:sync -source:package=c:\WebSitel.zip -dest:metakey=Im/w3svc/1 > 
WebDeploySync. log 


As an alternative to this method, you can perform a direct synchronization by installing 
the remote service on either the source or the destination host. You do this by deploying Web 


Deploy and then running the PowerShell command start-service msdepsvc. To perform a pull 


synchronization from a computer named sourcehost on the Windows Server 2022 computer 
that you wish to migrate the website to, first determine and deploy all dependencies and then 
run the following command: 


msdeploy -verb:sync -source:metakey=Im/w3svc/1, computername=sourcehost -dest:metakey=1Im/ 


w3svc/1 > msdeploysync. log 


NEED MORE REVIEW? MIGRATING IIS WEBSITES 


You can learn more about migrating IIS websites at https://docs.microsoft.com/en-us/iis/ 


publish/using-web-deploy/migrate-a-web-site-from-iis-60-to-iis-7-or-above. 


Migrate Hyper-V hosts 


There are several options available to perform migration of Hyper-V workloads from one ver- 


sion of Windows Server to a more recent version of Windows Server. You can use Hyper-V live 


Skill 4.3: Migrate workloads from previous versions to Windows Server 2022 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


175 


migration to move a running VM from one host to another, including between individual hosts 
using “shared nothing live migration.” Another alternative is to export a VM from one Windows 
Server Hyper-V host and then import the VM to the destination Windows Server Hyper-V VM 
host. The key when using either method is to determine when to upgrade the VM version since 
you won't be able to import a VM with a newer configuration version on a Hyper-V host. For 
example, Windows Server 2022 supports VMs running up to configuration version 10.0 but 
Windows Server 2019 supports VMs running up to configuration version 9.0, as shown in 
Figure 4-6. You can update VM configuration version using the Update-VvMVersion PowerShell 
cmdlet. Don’t upgrade the VM configuration version until you have upgraded all your Hyper-V 
hosts because you won't be able to run higher versions on older versions of Hyper-V. 


FIGURE 4-6 VM host configuration support 


Hyper-V live migration 

Live migration is the process of moving an operational VM from one physical virtualiza- 

tion host to another with no interruption to VM clients or users. Live migration is supported 
between cluster nodes that share storage between separate Hyper-V virtualization hosts that 
are not participating in a failover cluster using an SMB 3.0 file share as storage; live migration is 
even supported between separate Hyper-V hosts that are not participating in a failover cluster 
using a process called “shared nothing live migration.” In supported cluster configurations, you 
can use rolling cluster upgrades and Hyper-V live migration to introduce new nodes running 
more recent versions of Windows Server and live-migrate VMs to those nodes, removing 
cluster nodes running older versions of Windows Server. 


Live migration has the following prerequisites: 


m There must be two or more servers running Hyper-V that use processors from the same 
manufacturer (for example, all Hyper-V virtualization hosts configured with Intel pro- 
cessors or all Hyper-V virtualization hosts configured with AMD processors). 
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m Hyper-V virtualization hosts need to be members of the same domain, or they must be 
members of domains that have a trust relationship with each other. 


= VMs must be configured to use virtual hard disks or virtual Fibre Channel disks; pass- 
through disks are not allowed. 


It is possible to perform live migration with VMs configured with pass-through disks under 
the following conditions: 


m VMs are hosted on a Windows Server Hyper-V failover cluster. 
m Live migration will be within nodes that participate in the same Hyper-V failover cluster. 
= VM configuration files are stored on a Cluster Shared Volume. 


m The physical disk that is used as a pass-through disk is configured as a storage disk 
resource that is controlled by the failover cluster. This disk must be configured as a 
dependent resource for the highly available VM. 


If you are performing a live migration using shared storage, the following conditions must 
be met: 


m The SMB 3.0 share needs to be configured so that the source and the destination virtu- 
alization host's computer accounts have read and write permissions. 


m All VM files (virtual hard disks, configuration files, and snapshot files) must be located on 
the SMB 3.0 share. You can use storage migration to move VM files to an SMB 3.0 share 
while the VM is running before performing a live migration using this method. 


You must configure the source and destination Hyper-V virtualization hosts to support live 
migrations by enabling live migrations in the Hyper-V settings. When you do this, you specify 
the maximum number of simultaneous live migrations and the networks that you will use for 
live migration. Microsoft recommends using an isolated network for live migration traffic, 
though this is not a requirement. 


The next step in configuring live migration is choosing which authentication protocol and 
live migration performance options to use. You select these in the Advanced Features area 
of the Live Migrations settings. The default authentication protocol is CredSSP (Credential 
Security Support Provider). CredSSP requires local sign-in to both the source and the destina- 
tion Hyper-V virtualization host to perform live migration. Kerberos allows you to trigger live 
migration remotely. To use Kerberos, you must configure the computer accounts for each 
Hyper-V virtualization host with constrained delegation for the CIFS (Common Internet File 
System) and Microsoft Virtual System Migration Service services, granting permissions to the 
virtualization hosts that will participate in the live migration partnership. The performance 
options allow you to speed up live migration. Compression increases processor utilization. SMB 
will use SMB Direct if both the network adapters used for the live migration process support 
remote direct memory access (RDMA) and RDMA capabilities are enabled. 


Migration by VM Exporting and Import 


AVM export creates a duplicate of a VM that you can import on the same or a different 
Hyper-V virtualization host. When performing an export, you can choose to export the VM, 
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which includes all its VM checkpoints, or you can choose to export just a single VM checkpoint. 
Windows Server 2012 R2 and later support exporting a running VM. With Hyper-V in Windows 
Server 2012, Windows Server 2008 R2, and Windows Server 2008, it is necessary to shut down 
the VM before performing an export. 


Exporting a VM with all of its checkpoints will create multiple differencing disks. When you 
import a VM that was exported with checkpoints, these checkpoints will also be imported. If 
you import a VM that was running at the time of export, the VM is placed in a saved state. You 
can resume from this saved state, rather than having to restart the VM. 


When importing a VM, you can choose from the following options: 


Register The Virtual Machine In Place (Use The Existing ID) Use this option when 
you want to import the VM while keeping the VM files in their current locations. Because 
this method uses the existing VM ID, you can only use it if the original VM on which the 
export was created is not present on the host to which you wish to import the VM. 


Restore The Virtual Machine (Use The Existing Unique ID) Use this option when 
you want to import the VM while moving the files to a new location; for example, you 
would choose this option if you are importing a VM that was exported to a network 
share. Because this method also uses the existing VM ID, you can only use it if the origi- 
nal VM on which the export was created is not present on the host to which you wish to 
import the VM. 


Copy The Virtual Machine (Create A New Unique ID) Use this method if you want 
to create a separate clone of the exported VM. The exported files will be copied to a 
new location, leaving the original exported files unaltered. A new VM ID is created, 
meaning that the cloned VM can run concurrently on the same virtualization host as 
the original progenitor VM. When importing a cloned VM onto the same virtualization 
host as the original progenitor VM, ensure that you rename the newly imported VM; 
otherwise you may confuse the VMs. 


NEED MORE REVIEW? HYPER-V MIGRATION OPTIONS 


You can learn more about Hyper-V migration options at https://docs.microsoft.com/en-us/ 


previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486792(v=ws.11). 


Migrate Remote Desktop Services (RDS) host servers 


You can migrate the following Remote Desktop Services role services from a source server run- 
ning Windows Server 2012 or later to Windows Server 2022 by performing in-place upgrades: 


RD Connection Broker 
RD Virtualization Host 
RD Session Host 

RD Web Access 
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m RD Licensing 
m RD Gateway 
When migrating more than one role service, you should migrate in the following order: 
1. RD Connection Broker 
2. RD Session Host 
3. RD Virtualization Host 
4. RD Web Access 


You can migrate the RD Licensing and RD Gateway role services at any time during the 
migration process. You must always migrate the RD Connection Broker role service first. When 
migrating the RD license server, either ensure that the new license server has the same name 
or configure existing Remote Desktop deployments and standalone session host servers to the 
new license server after migration. Before migrating any RDS host server, perform a full server 
backup. 

Upgrading each RDS role service involves performing an in-place upgrade of the existing 
host operating system to Windows Server 2022. You may need to perform a hop migration, 
where you upgrade to an intermediate version of Windows Server to be able to upgrade all the 
way to Windows Server 2022. This is because you can only skip one version when performing 
an in-place upgrade. For example, to migrate from Windows Server 2012 RDS role services, you 
will need to upgrade each role service in the order specified earlier to Windows Server 2016 
before being able to upgrade from Windows Server 2016 to Windows Server 2022. 


NEED MORE REVIEW? MIGRATING RDS 


You can learn more about migrating RDS at https://docs.microsoft.com/en-us/ 
previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn479239(v=ws.11). 


Migrate Dynamic Host Configuration Protocol (DHCP) 


You can use WSMT to migrate a DHCP server, scopes, and settings from computers running 
both the Server Core and Server with a GUI installation option of Windows Server 2008 and 
later to Windows Server 2022. To perform a migration of a DHCP server using WSMT, you need 
access to accounts with the following permissions: 


m Permission to authorize the DHCP server in Active Directory 


m Membership of the local Administrator group on the computers that are both source 
and destination DHCP servers 


m Permission to write data to the WSMT migration store location 
DHCP migration follows the following general steps: 

m Preparation 

m Migration 


m Verification and post-migration tasks 
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Preparing to migrate DHCP 


Before you start the process of migrating a DHCP server and its associated scopes and settings 
to Windows Server 2022, you'll need to perform several preparation steps: 


Determine which current DHCP servers you wish to migrate and which servers running 
Windows Server 2022 will host the migrated DHCP server roles, associated scopes, and 
settings. 


Ensure that all critical updates, update rollups, and service packs have been installed on 
the source and destination servers. 


Deploy WSMT on the source and destination servers. 


Install the DHCP role service on the destination server. This service must be present on 
the destination server prior to beginning the migration. 


Ensure that the source and destination servers have the same number of network adapt- 
ers. Determine which subnet each network adapter is bound to on the source server and 
ensure that the destination server has network adapters bound to the same subnets. 
This will ensure that the migrated DHCP server can service the same subnets as the 
source DHCP server. 


Determine the IP address strategy for the destination server. DHCP servers should use 
static IP addresses on network interfaces that are used by the DHCP server service to 
manage DHCP traffic. Options include: 


m Assigning the destination server different static IP addresses that are on the same 
subnets as the static IP addresses assigned to network interfaces on the source 
server. Doing this will allow you to perform the migration with both the source and 
the destination server online. 


m Assign the destination server the same IP addresses that are used for network inter- 
faces for the source server. While this is possible, it will mean that the source and 
destination servers cannot be online at the same time without causing IP address 
conflicts, or it would require extensive preparation of network virtualization. Because 
existing clients will be able to renew their IP address information after migration 
from a destination server with a new IP address on the same subnet, you should 
only keep the same IP addresses on the source and destination servers if there are 
substantive reasons for doing so. 

If the source server does not use the default path for the DHCP server database, such 

as having the database stored on a separate volume, the destination server will need to 

have a volume configuration that matches that of the source server. For example, if the 

DHCP database is stored on volume H: of the source server, the destination server will 

need a properly formatted volume H: for migration to be successful. 

Ensure that the migration store location is accessible to both the source and the destina- 

tion servers. 

Ensure that both the source and the destination servers have network access to the AD 

DS environment. 
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Perform a backup of the DHCP server from the DHCP console rather than Windows 
Server Backup. You can do this by right-clicking the DHCP server node, selecting 
Backup, and specifying a location for the backup. You can also do this using the Export- 
DHCPServer cmdlet, which creates a backup of server configuration, including conflict 
detection settings, IPv4 and IPv6 scopes, policies, and lease data in XML format. 


Once the backup is complete, stop the DHCP service on the source and the destination 
servers, either by using the Services console or by running the Stop-Service DHCPserver 
Windows PowerShell cmdlet. 


Migration 


Once the source and destination servers are prepared, the next step is to open the Windows 
Server Migration Tools PowerShell session. You perform the migration using the Export- 


SmigServerSetting PowerShell cmdlet. Specific parameters of the Export-SmigServerSetting 
cmdlet that are relevant to DHCP server migration include: 


Use the FeatureID DHCP parameter to specify that the DHCP server role is what you want 
to migrate. 


Use the Users parameter if the DHCP Administrators group includes local user accounts. 
Use the Group parameter to migrate all members of the DHCP Administrators group that 
don't include local users but that do include domain users and groups. 


You can use the IPConfig parameter if you want to export the IP address configuration 
of the source server to the destination server. 

Use the Path parameter to specify the location of the svrmig.mig file. If you don’t specify 
a network location, you'll need to manually transfer this file to a location that is acces- 
sible to the destination server. 


When using the Import-SmigServerSetting cmdlet on the destination server, consider the 
following: 


Use the FeatureID DHCP parameter to specify that the DHCP server role is what you are 
importing. While the Import-SmigServerSetting cmdlet will install the DHCP server role if 
it is not already present on the destination server, Microsoft recommends installing the 
service and then placing it in a stopped state before importing data using WSMT. 

Use the Users parameter if the DHCP Administrators group on the destination server will 
include local users. Use the Group parameter if the DHCP Administrators group contains 
domain users and groups. 

Use the Path parameter to specify the location of the svrmig.mig file. This file can be 
stored on an accessible network share or stored locally. 


Once migration is complete, start the DHCP server service using the Start-Service 
DHCPServer cmdlet. 


If you haven't done so already, you'll need to authorize the DHCP server in Active 
Directory before it will function. 
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You can also use the Export-DCHPServer and Import-DCHPServer PowerShell commands to 
perform an import and export. Export-DHCPServer allows you to export the server service con- 
figuration (including conflict detection settings, IPv4 and IPv6 scopes, policies, and lease data) 
to an XML file. 


Verification and post-migration tasks 


Once the migration has occurred, ensure that the DHCP server service on the source server 
remains in a stopped state, as well as on a client release, and then renew an IP address to verify 
that the DHCP server service on the destination server is functioning properly. You should also 
manually check that the scopes and settings that were present on the source server are also 
present on the destination server. Once you have verified that the migration has completed 
successfully, remove the DHCP server service from the source computer. 


NEED MORE REVIEW? MIGRATING DHCP SERVERS 


You can learn more about migrating DHCP servers at https://docs.microsoft.com/en-us/ 
previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn495425(v=ws.11). 


Migrate print servers 


Print servers are Windows Server instances that host shared printers. Many organizations use 
shared printers, and although newer printers include networking functionality and the ability 
to store large queues of incoming print traffic, there are advantages to the more traditional 
approach of connecting a printer to a Windows Server instance and having remote clients 
connect through that Windows Server instance to the printer. If you think this is all a bit archaic, 
realize that Fax Server is still a role included with Windows Server because enough customers 
require it for it to remain viable. 


You manage printer migration using the Printer Migration Wizard, which is accessible 
through the Print Management snap-in of the Microsoft Management Console (MMC), as 
shown in Figure 4-7. You can use this wizard to export printer queues, printer ports, and printer 
drivers to a file that can then be imported on another Windows Server instance that has the 
Print Server role installed. You can install the Print Server role on a Windows Server computer 
by running the following command from an elevated PowerShell session: 


Install-WindowsFeature -IncludeAl1SubFeature -IncludeManagementTools Print-Services 


NEED MORE REVIEW? MIGRATE PRINT SERVERS 


You can learn more about printer migration at https://docs.microsoft.com/en-us/ 
previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj134150(v=ws.11). 
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FIGURE 4-7 Printer Migration Wizard 


Q) EXAM TIP 


Remember what tool you use to migrate print servers from one Windows Server host to 
another. 


Skill 4.4: Migrate IIS workloads to Azure 


This objective deals with migrating IIS websites to Azure Web Apps as well as migrating IIS 
workloads to containers. 


This section covers how to: 


= Migrate IIS workloads to Azure Web Apps 


= Migrate IIS workloads to containers 
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Migrate IIS workloads to Azure Web Apps 


IIS is a role that traditionally has been deployed on an organization's perimeter network. Work- 
loads on perimeter networks are exposed to hosts on the internet, and exposing a host to the 
internet inherently involves accepting a security risk that can be leveraged to access internal 
networks. One of the first workloads to be migrated to Azure in an attempt to mitigate risk is 


internet-facing workloads such as those on a perimeter network. 


You have to take into account the following when considering migrating an IIS workload to 
an Azure App Service Web App: 


You can connect an Azure Web App to an on-premises resource using App Service 
Hybrid Connections. 


You can publish on-premises web apps through Azure using Azure AD Application 
Proxy. 


Azure App Service supports port 80 for HTTP and port 445 for HTTPS. 


Azure App Service supports anonymous authentication and forms authentication. You 
can integrate Windows authentication if you use Azure Active Directory. 


Settings usually via applicationHost.config can be managed directly through the Azure 
portal. 


Web applications that require IIS5 compatibility mode are not supported. 


Azure App Service has each web app and all applications that run under it as part of 
the same application pool. If you need separate application pools for web apps, create 
separate Azure Web Apps. 


Azure App Service does not allow you to register COM components. Apps that make 
use of COM components will need to be rewritten in managed code. 


Azure App Service can use Azure Files to access files through SMB or blob storage for 
files through HTTPS. 


ISAPI filters are supported if you deploy the ISAPI DLL with the site and must be regis- 
tered using web.config. 


You can migrate SSL certificates and bind them to the new site once it is migrated. 


Web app connection strings should be stored in Azure Key Vault. It is possible to store 
sensitive information as an App Service setting, but this is not recommended. 


You migrate IIS apps to Azure Web Apps using the web app migration assistant. The web 
app migration assistant will assess on-premises .NET and PHP web apps and migrate them to 
Azure. To migrate a web app, perform the following general steps: 


Deploy the Azure Migrate appliance in your on-premises environment. The steps to do 
this were covered earlier in the chapter. 


Perform an Azure App Service assessment. This will detect IIS web apps that can be 
migrated to Azure in your on-premises environment. 
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m The assessment will determine which of the examined applications can be migrated to 
Azure as Azure App Service web apps. The report will describe each discovered app with 
the following assessment: 


m Ready No compatibility issues have been found. 


= Ready with conditions Noncritical compatibility issues, such as unsupported 
features. Will include information about recommended remediation steps. 


= Notready There are compatibility issues with the app that will block the migration. 


m A recommended web app SKU and a cost estimate will also be listed as part of the 
assessment. 


m From the list of assessed apps, select an app you wish to migrate and specify the App 
Service details where the app will be hosted. 


m Select a subscription, resource group, and region for the web app. You should also 
select an intermediate storage account that will store app data during the migration 
process. 


m Verify the App Service Plan details and then have Azure Migrate validate migration 
settings. Once migration settings are validated, you can trigger the migration. 


m Once the migration is complete, you should examine the web app to ensure that the 
version of the app in Azure meets your requirements. 


NEED MORE REVIEW? APP SERVICE MIGRATION 


You can learn more about app service migration at https://docs.microsoft.com/en-us/dotnet/ 
azure/migration/app-service. 


App Service Hybrid Connections 


App Service Hybrid Connections allow you to configure an Azure App Service app to connect 
to a resource, such as an on-premises SQL Server instance, on any network that is able to make 
outbound requests on TCP port 443. App Service Hybrid Connections will work with resources 
on any operating system as long as that endpoint is a TCP endpoint. 


App Service Hybrid Connections require a relay agent to be deployed where it has connec- 
tivity to the endpoint and Azure. The relay agent is called the Hybrid Connection Manager and 
communicates outbound on TCP port 443. The connection uses TLS 1.2 for security and shared 
access signature (SAS) keys for authorization and authentication. App Service apps make DNS 
requests to Hybrid Connection endpoints, so you'll have to configure the appropriate settings 
in your hybrid DNS infrastructure. 

To use App Service Hybrid Connections, you need to create a hybrid connection in the 
Azure portal and then install the Hybrid Connection Manager software on an on-premises 
host. The Hybrid Connection Manager is software that you can download from the Azure 
portal, and it will run on Window Server 2012 or later instances. When installing Hybrid Con- 
nection Manager, you need to sign in with an Azure account that has contributor access to 
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the App Service. The account is only required to make the connection, and the authentication 
credentials are not required after that. 


NEED MORE REVIEW? APP SERVICE HYBRID CONNECTIONS 


You can learn more about App Service Hybrid Connections at https://docs.microsoft.com/ 
en-us/azure/app-service/app-service-hybrid-connections. 


Azure AD Application Proxy 


You can use Azure AD Application Proxy to provide users on the internet with access to appli- 
cations and workloads running on on-premises networks that use AD DS authentication. 


You can use Azure AD Application Proxy with the following application types: 
m Web applications that use Integrated Windows Authentication 


Web applications that use header-based or form-based authentication 


Applications hosted through Remote Desktop Gateway 
m Rich client applications that are integrated with Microsoft Authentication Library (MSAL) 


Azure AD Application Proxy requires less administrative effort to configure than Web Appli- 
cation Proxy because you only need to deploy the Application Proxy Service in Azure and the 
Application Proxy connector on-premises. The Application Proxy connector can be deployed 
on a Windows Server computer running on a perimeter network and makes outbound con- 
nections to Azure. You can also deploy the Application Proxy connector directly on an internal 
network if you choose. The computer hosting the Application Proxy connector must be able to 
directly connect to the backend application. You do not need to open any port on the perim- 
eter firewall to allow inbound communication to the Application Proxy connector. You can 
deploy multiple Application Proxy connectors to ensure they remain highly available. 


NEED MORE REVIEW? AZURE AD APPLICATION PROXY 


You can learn more about Azure AD Application Proxy at https://docs.microsoft.com/azure/ 


active-directory/app-proxy/what-is-application-proxy. 


Migrate IIS workloads to containers 


Another option that organizations are pursuing with their IIS web apps is to migrate them to 
containers rather than having them require a full IIS instance on Windows Server for hosting. 
An application that is migrated into a container becomes substantially more portable than 

an application hosted on a full version of Windows Server. Once containerized, the applica- 
tion can be rapidly deployed on any Windows Server container host or deployed to one of the 
many different container hosting options available in Azure. 
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Earlier in the chapter, you learned how you could use Web Deploy to migrate IIS websites 
from an earlier version of Windows Serer to Windows Server 2022. For example, you can use 
the Web Deploy utility to create a zip file named Website1.zip of an IIS web app: 


msdeploy -verb:sync -source:metakey=Im/w3svc/1 -dest:package=c:\WebSitel.zip > 
WebDeployPackage. log 


You can also use Web Deploy from the IIS Manager Console to right-click a web application 
and select Deploy and then select Export Application. Once you have the web application 
exported in zip format, you can use the Containers extension in Windows Admin Center ona 
Windows Server computer that is configured as a container host to convert Web Deploy zip 
files into a Windows Server container image of the app. Once you have the image, you can 
export it and upload it to a container registry or generate containers based on that image. 


NEED MORE REVIEW? CONTAINERIZE IIS APP 


You can learn more about containerizing an IIS app at https://aka.ms/ContainerizellSApp. 


Dockerfiles are text files that allow you to automate the process of creating new container 
images. You use a Dockerfile with the docker build command to automate container creation, 
which is very useful when you need to create new container images from regularly updated 
base OS container images. 


Dockerfiles have the elements shown in Table 4-1. 


TABLE 4-1 Dockerfile elements 

Instruction Description 

FROM Specifies the container image used in creating the new image creation. For example: 
FROM mcr.microsoftcom/windows/servercore: Itsc2022 


RUN Specifies commands to be run and captures them into the new container image. 
For example: 


RUN wget -Uri "http://javad1.sun.com/webapps/download/ 
AutoDL?BundleId=107944" -outfile javaInstall.exe -UseBasicParsing 


RUN REG ADD HKLM\Software\Policies\Microsoft\Windows\Installer /v 
DisableRollback /t REG_DWORD /d 1 | Out-Nul1 


RUN ./javaInstall.exe /s INSTALLDIR=C:\Java REBOOT=Disable | Out-Nul1 


COPY Copies files and directories from the container host filesystem to the filesystem of the 
container. For Windows containers, the destination format must use forward slashes. For 
example: 


COPY examplel.txt c:/temp/ 
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Instruction Description 


ADD Can be used to add files from a remote source, such as a URL. For example: 


ADD https://www.python.org/ftp/python/3.9.9/python-3.9.9.exe 
/temp/python-9.9.9.exe 


WORKDIR Specifies a working directory for the RUN and CMD instructions. 


CMD A command to be run when deploying an instance of the container image. 


For example, the following Dockerfile will create a new container from the mcr.microsoft.com/ 
windows/servercore:ltsc2022 image, create a directory named ExampleDirectory, and then 
install the iis-webserver feature: 

FROM mcr.microsoftcom/windows/servercore: 1tsc2022 


RUN mkdir ExampleDirectory 
RUN dism.exe /online /enable-feature /all /featurename:iis-webserver /NoRestart 


You can include steps in your Dockerfile to acquire the Web Deploy software from the 
Microsoft website using the Invoke-webRequest cmdlet, install the software, acquire the zip 
file that includes the web deploy package with the web application, and then deploy the web 
application to the container. To use a Dockerfile to create a container image named exam- 
ple_image, change into the directory that hosts the Dockerfile (no extension) file, and run the 
following command: 


docker build -t example_image . 


()) Exam Tip 
Remember that you can use App Service Hybrid Connections to connect an Azure Web App 
to an on-premises SQL Server instance. 


Skill 4.5: Migrate an AD DS infrastructure to Windows 
Server 2022 AD DS 


A key element to guaranteeing the security and reliability of your AD DS deployment is ensur- 
ing that all AD DS domain controllers (DCs) in your domain are running the latest version of 
the Windows Server operating system. This is because DCs running the most recent versions 
of Windows Server that are fully up to date will always be more secure than DCs running an 
earlier version of Windows Server. 
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This section covers how to: 
m Upgrade an existing forest 
m Migrate AD DS objects, including users, groups and Group Policies, using Active 
Directory Migration Tool 


m Migrate to a new Active Directory forest 


Upgrade an existing forest 


The basic methodology of upgrading an AD DS forest is to ensure that all domain controllers 
are running the most recent version of Windows Server. The strategy recommended by Micro- 
soft for upgrading DCs in a domain or forest to Windows Server 2022 is to: 


m Add member servers running Windows Server 2022 to a domain. 


m Promote at least two of those member servers to domain controller in each domain in 
the forest. 


m Transfer Flexible Single Master Operations (FSMO) roles across to the domain controllers 
running Windows Server 2022 from the domain controllers running previous versions of 
Windows Server. This process is described in more detail in the next section. 


m Demote those domain controllers running the older version of the operating system. 


In some circumstances, you might need to perform an upgrade of a domain controller 
rather than using the recommended strategy. Prior to attempting the upgrade, manually run 
adprep /forestprep and adprep /domainprep from the \support\adprep folder of the Windows 
Server 2022 installation media. 


You should upgrade the domain controllers in the forest root domain and then upgrade 
domain controllers in any child domains. Once you've upgraded all the domain controllers in 
your organization, you can then raise the domain functional level of each domain in the forest 
to Windows Server 2016 using the Active Directory Domains and Trust console. Remember that 
the highest domain and forest functional level that you can configure for Windows Server 2022 
domain controllers is Windows Server 2016. 


Once you have raised the domain functional level of each domain in the forest to Windows 
Server 2016, you can raise the forest functional level to Windows Server 2016 using the Active 
Directory Domains and Trusts console. 


NEED MORE REVIEW? DOMAIN CONTROLLER UPGRADE 


You can learn more about domain controller upgrade at https://docs.microsoft.com/en-us/ 
windows-server/identity/ad-ds/deploy/upgrade-domain-controllers. 
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Transfer FSMO role holder 


By default, FSMO roles are allocated to the first domain controller ina domain. After you have 
more than one domain controller in each domain, you should manually start to move FSMO 
roles to other domain controllers. This protects you from a situation where the first domain 
controller deployed in each domain goes offline and all FSMO roles become unavailable. When 
upgrading an existing forest, you'll need to locate existing FSMO roles and transfer them to 
newly deployed domain controllers running Windows Server 2022. 


The schema master is the single server in the forest that is able to process updates to the AD 
DS schema. The AD DS schema defines the functionality of AD DS. For example, by modifying 
the schema, you can increase the available attributes for existing objects as well as enable AD 
DS to store new objects. The domain controllers that host the schema master role should be 
located in the root domain of the forest. You can determine which computer hosts the schema 
master role by running the following PowerShell command: 


Get-ADForest example.internal | FT SchemaMaster 


The domain naming master is a forest-level role that is responsible for managing the addi- 
tion and removal of domains from the forest. The domain naming master also manages refer- 
ences to domains in trusted forests. In a multidomain environment, the domain controller that 
hosts this forest-level role should be deployed in the root forest. The domain naming master is 
also contacted when new instances of AD DS application directory partitions are added, such 
as when you configure a limited directory partition replication scope for an AD DS-integrated 
DNS zone. You can determine which server hosts the domain naming master role by running 
the following PowerShell command: 


Get-ADForest example.internal | FT DomainNamingMaster 


The PDC (Primary Domain Controller) emulator role is a domain-level FSMO role that is 
responsible for handling both changes to account passwords as well as domain time syn- 
chronization. Account Lockout is also processed by the PDC emulator. PDC emulators in child 
domains synchronize time against the PDC emulator in the forest root domain. You should 
ensure that the PDC emulator in the forest root domain synchronizes against a reliable external 
time source. To determine which domain controller in a specific domain hosts the PDC 
emulator role, run the following PowerShell command: 


Get-ADDomain example.internal | FT PDCEmulator 


The computer that hosts the infrastructure master role keeps track of changes that occur 
in other domains in the forest as they apply to objects in the local domain. The infrastructure 
master FSMO role holder updates an object's SID (Security Identifier) and distinguished name 
in a cross-domain object reference. You should avoid having the infrastructure master role 
co-located with a domain controller that hosts the Global Catalog server role unless all DCs in 
the domain are configured as Global Catalog servers. You can determine which computer in a 
domain hosts the infrastructure master role by running the following PowerShell command: 


Get-ADDomain example.internal | FT InfrastructureMaster 


Migrate servers and workloads 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


The RID (Relative ID) master processes relative ID requests from domain controllers ina 
specific domain. Relative IDs and domain Security IDs are combined to create a unique Security 
ID (SID) for the object. There is an RID master in each domain in the forest. You can use the fol- 
lowing PowerShell command to determine which computer hosts the RID Master role: 


Get-ADDomain example.internal | FT RidMaster 


You can use the Move-ADDi rectoryServerOperationMasterRole cmdlet to move an FSMO role 
from one domain controller to another. For example, to move the RID Master, Infrastructure 
Master, and Domain Naming Master roles to a domain controller named MEL-DC2, run the 
following command: 


Move-ADDi rectoryServerOperationMasterRole -Identity MEL-DC2 -OperationMasterRole 
RIDMaster, InfrastructureMaster , DomainNamingMaster 


DNS migration 


The simplest way to migrate DNS is where DNS zones are Active Directory integrated. In that 
scenario, you add member servers running Windows Server 2022 to an existing domain, 
promote those servers to domain controllers, and make sure that you add the DNS role. Any 
existing AD-integrated zones that are configured to replicate to other domain controllers in 
the domain will replicate to the newly promoted domain controller. Remember to add custom 
partitions if you have AD-integrated zones that only replicate to specific domain controllers. 


The trick to migrating primary zones from one DNS server to another is to first configure the 
destination server to host a secondary zone of the primary zone. Once the zone has replicated 
to the intended destination server, convert the zone from a secondary zone to function as a 
primary zone. You can do this by performing the following steps: 


1. On the General tab of the secondary zone Properties, shown in Figure 4-8, select Change. 


contoso.pri Properties ? x 
Name Servers WINS Zone Transfers 
General Start of Authority (SOA) 

Status: Running Pause 
Type: secondary 
Change... 
Zone fle name: 
‘contoso.or1.dns, 
Master Servers: 
| 1P Address Server FQON 
| 192. 169.3.10 DCI 
Edit 
OK Cancel Apply Help 


FIGURE 4-8 Zone General Properties tab 
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2. Inthe Change Zone Type dialog box, shown in Figure 4-9, select Primary Zone and then 


select OK. 


Change Zone Type x 


Select a zone type: 


@ Primary zone 
Stores a copy of the zone that can be updated directly. 

O Secondary zone 
Stores a copy of an existing zone. This option helps balance the processing load of 
primary servers and provides fault tolerance. 

O Stub zone 


Stores a copy of a zone containing only NS, SOA, and possibly 
glue A records. A server containing a stub zone is not 
authoritative for that zone. 


Store the zone in Active Directory (available only if DNS server is a domain controller) 


[aT] ee 


FIGURE 4-9 Change Zone Type 


Demote existing domain controllers 


Once you have deployed new AD DS domain controllers running Windows Server 2022 to your 
environment and redeployed FSMO roles from the existing AD DS DC hosts to Windows Server 


2022 DC instances, you can demote the previous version AD DS DCs back to the member 
server role. 


To remove AD DS and demote the domain controller, run the Uninstal1-ADDSDomainController 


PowerShell cmdlet. When you run this cmdlet, you will be prompted to provide a new pass- 


word for the local Administrator account. You can also pass a password as a secure PowerShell 
string to the command if you so choose. The Windows Server instance will automatically restart 


to complete the domain controller demotion process. 


In the case where you actually want to remove all AD DS domain controllers from a 
domain, such as when pruning existing domains from a forest, you can use the Uninstal1- 


ADDSDomainController cmdlet with the LastDomainControllerlnDomain and RemoveApplicai- 


tonPartitions parameters. 


Once the Windows Server instance restarts, you can use the following command to remove 


the AD DS installation files from the server: 


Uninstal1-WindowsFeature AD-Domain-Services 


NEED MORE REVIEW? DEMOTING DOMAIN CONTROLLERS 


You can learn more about demoting domain controllers at https://docs.microsoft.com/ 
en-us/windows-server/identity/ad-ds/deploy/demoting-domain-controllers-and-domains-- 
level-200-. 
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Migrate AD DS objects, including users, groups and Group 
Policies, using Active Directory Migration Tool 


Organizational requirements occasionally necessitate a need to change an existing AD DS 
forest and domain structure. For example, a reorganization or divestment might require you 
to consolidate or split existing domains. When this occurs, some AD DS objects will need to be 
moved from one domain to another in the same forest. To perform this task, you can use the 
Active Directory Migration Tool. 


The Active Directory Migration Tool (ADMT) is a tool that you can use to migrate Active 
Directory objects to and from any Active Directory environments, from moving accounts 
within a forest, to migrating accounts to a new Active Directory forest. 


The Active Directory Migration Tool requires that you have access to an SQL Server instance. 
This can be a full SQL Server deployment or a local SQL Server express instance. ADMT includes 
the following wizards, shown in Figure 4-10. 


BS migrator - [Active Directory Migration Tool] - oO x 
i File Action View Window Help -0k 
420] User Account Migration Wizard 


© activ Group Account Migration Wizard 
QR Computer Migration Wizard 

Security Translation Wizard 
Reporting Wizard 
Service Account Migration Wizard 
Managed Service Account Migration Wizard 
Retry Task Wizard 
Password Migration Wizard 
Customer Feedback Options... 


New Window from Here 


Refresh 
Export List... 


Help 


FIGURE 4-10 Active Directory Migration Tool 


m User Account Migration Wizard Allows you to perform an intraforest or interforest 
migration of user account objects. 


= Group Account Migration Wizard Allows you to perform an intraforest or interfor- 
est migration of group account objects, including group membership information. 


= Computer Migration Wizard Allows you to perform an intraforest or interforest 
migration of computer account objects. 


= Security Translation Wizard Allows you to transfer security permissions during 
object migration. 
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= Reporting Wizard Generates the following reports: 


= Migrated Users, Groups, and Managed Service Accounts report Summarizes 
result of the migration of user, group, and managed service accounts. 


= Expired Computers Report Lists computers found that have expired computer 
account passwords. 


= Account References Report Lists accounts that have been assigned permissions 
for resources on a specific computer. 


= Name Conflicts Report Lists user accounts and groups that are present in both 
the source and the target domains. 


= Service Account Migration Wizard Allows you to perform intraforest or interforest 
service account migration. 


= Managed Service Account Migration Wizard Allows you to perform intraforest or 
interforest managed service account migration. 


= Password Migration Wizard Allows you to perform intraforest or interforest pass- 
word migration. 


NEED MORE REVIEW? ACTIVE DIRECTORY MIGRATION 


You can learn more about the Active Directory Migration at https://docs.microsoft.com/en-us/ 
previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc974412(v=ws.10). 


Migrate to a new Active Directory forest 


Certain scenarios, such as when one organization is acquired by another, may require the 
migration of users, groups, Group Policies, and other AD DS objects from one forest to another. 
Migrating to a new AD DS forest isn’t just something that occurs during organizational merg- 
ers. Many older AD DS deployments have built up objects and settings that are no longer 
relevant, and rather than attempt to go through and rationalize the existing deployment, it is 
simpler to migrate necessary objects to a new forest and decommission the old one. The older 
an Active Directory environment is, the more likely it is to have an inefficient domain and OU 
structure, derelict user and computer accounts, unutilized sites, and forgotten Group Policy 
Objects and groups. Just as Microsoft recommends performing fresh installations rather than 
in-place upgrades for individual computers, it may make more sense to migrate to a new for- 
est than it does to remain with an existing Active Directory forest. This is especially true if an 
organization is considering moving toward a secure administrative model where the privileged 
accounts in a production forest are unprivileged standard accounts in the secure administra- 
tive forest. 


You can use ADMT to perform an interforest restructure or an intraforest restructure: 


m An intraforest restructure allows you to modify your current domain and forest struc- 
ture to reduce complexity. 
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m An interforest restructure involves creating a brand new, simplified forest structure 
using Active Directory objects from your existing forest. 


Table 4-2 lists the difference between each restructure type when using ADMT to perform 


the operation. 


TABLE 4-2 Migration differences 


Consideration 


Object preservation 


SID history maintenance 


Password retention 


Profile migration 


NEED MORE REVIEW? 


Interforest restructure 


Objects, such as accounts, will 
be cloned. The original object 
remains in the source forest. 


SID history maintenance is 
optional. 


Password retention is optional. 


Local profiles can be migrated 
using ADMT. 


INTERFOREST RESTRUCTURE 


Intraforest restructure 


User and group objects are migrated and 
are no longer present in the source location. 
Computer and managed service account 
objects are copied and remain in the source 
location. 


SID history is mandatory for user, group, 
and computer accounts. It is not required 
for managed service accounts. 


Passwords are always retained. 


Local profiles are automatically migrated, 
and account GUID is preserved. 


You can learn more about interforest restructure at https://docs.microsoft.com/en-us/ 


previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc974335(v=ws.10). 


{) EXAM TIP 


md 


Remember the difference between an interforest and an intraforest restructure. 


Chapter summary 


m Storage Migration Service allows you to transfer data and share settings. 


m You can cut over to a new server using Storage Migration Service where the destination 


server assumes the identity of the source server. 


m Use Storage Migration Service to migrate to Azure VMs. 


m You can use Robocopy or Azure Data Box to migrate data to Azure File Shares. 


m You can migrate VM workloads and physical workloads to Azure laaS using Azure 


Migrate. 


m You can migrate IIS web apps to using Web Deploy to transfer the websites. 


m You can migrate DHCP and print servers using tools built into their respective consoles. 


Chapter summary 
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m You can migrate IIS workloads to containers using Web Deploy and Windows Admin 
Center. 


m You can migrate AD DS objects, including users, groups, and Group Policies using AD 
Migration Tool. 


m You can migrate to a new Active Directory forest using Active Directory Migration Tool. 


Thought experiment 


In this thought experiment, demonstrate your skills and knowledge of the topics covered in this 
chapter. You can find answers to this thought experiment in the next section. 


You are in the process of updating the file server infrastructure at Tailwind Traders. You 
need to migrate 30 existing file servers that are currently running the Windows Server 2008 
operating system to file servers that are running the Windows Server 2022 operating system. 
Each file server hosts between 3 and 10 shares that are mapped through Group Policies to 
different users and computers throughout the organization. Tailwind Traders also has 60 TB 
of archived video data on a storage area network that you would like to migrate to Azure. 
On-premises clients should be able to connect to the Azure file share that eventually stores this 
data using on-premises AD DS credentials. With this information in mind, answer the following 
questions: 


1. What tool should you use to migrate the Windows Server 2008 file servers to Windows 
Server 2022 without impacting existing mapped user volumes? 


2. What tool should you use to migrate the 60 TB of archived video data from your on- 
premises storage area network to an Azure file share? 


3. What cmdlet can you use from Azure Cloud shell to enable AD DS authentication on the 
storage account that hosts the Azure file share? 


Thought experiment answers 


This section contains the solution to the thought experiment. Each answer explains why the 
answer choice is correct. 

1. You can use Storage Migration Service to migrate the Windows Server 2008 file servers 
to Windows Server 2022. Existing mapped user volumes will not be impacted as the 
new Windows Server 2022 instances can be assigned the same network identity as the 
source Windows Server 2008 file servers. 

2. You should use Azure Data Box to migrate the 60 TB of archived video data from your 
on-premises storage array to an Azure file share. 

3. You enable AD DS authentication on the storage account using the Join- 
AzStorageAccount cmdlet. 
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Monitor and troubleshoot 
Windows Server 
environments 


Windows Servers should be monitored and maintained over their operational lifespans to 
ensure that they continue to function as well as possible whether they are deployed on- 
premises or in Azure. Monitoring and maintenance not only involve regularly checking 
performance and event logs but also troubleshooting problems when computers won't boot. 
You also need to know what techniques to employ to diagnose what the issue might be when 
hybrid workloads in different locations cannot communicate due to either network problems 
or problems related to hybrid identity. 


Skills covered in this chapter: 
m Skill 5.1: Monitor Windows Server by using Windows Server tools and Azure services 
m Skill 5.2: Troubleshoot Windows Server on-premises and hybrid networking 
m Skill 5.3: Troubleshoot Windows Server virtual machines in Azure 


m Skill 5.4: Troubleshoot Active Directory 


Skill 5.1: Monitor Windows Server by using Windows 
Server tools and Azure services 


This objective deals with monitoring how Windows Server is running and how you can 


centralize the collection of performance and event telemetry into a Log Analytics workspace. 


To master this objective, you'll need to understand the different technologies that you can 
use to monitor Windows Server and the Azure hybrid tools that are available to collect and 
analyze that information. 
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This section covers how to: 

= Monitor Windows Server by using Performance Monitor 

= Create and configure data collector sets 

= Monitor servers using Windows Admin Center 

= Monitor by using System Insights 

m Manage event logs 

= Deploy Azure Monitor and Log Analytics agents 

= Collect performance counters to Azure 

= Create alerts 

= Monitor Azure Virtual Machines by using Azure Diagnostics extension 


= Monitor Azure Virtual Machines performance by using VM Insights 


Monitor Windows Server by using Performance Monitor 


Every server administrator has heard users complain that a server is running slow, but deter- 
mining whether it's just a matter of perception on the part of a user or an actual slowdown 
requires you to monitor the server's performance. You can do this by collecting and analyzing 
performance telemetry. 


Performance Monitor 
Performance Monitor allows you to view real-time telemetry on various performance coun- 
ters. When adding a counter, you can choose whether you wish to display a single instance 
or a total of all instances. For example, if a server has more than one CPU, you can choose to 
monitor each CPU individually or add a counter that monitors total CPU usage, as shown in 
Figure 5-1. 

You add counters to Performance Monitor that measure the following: 

= Memory 

m Processor 

m System 

m Physical disk 


m Network interface 
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FIGURE 5-1 Performance Monitor 


Performance counter alerts 


Performance counter alerts enable you to configure a task to run when a performance counter, 
such as available disk space or memory, falls under or exceeds a specific value. To configure a 
performance counter alert, you create a new data collector set, choose the Create Manually 
option, and select the Performance Counter Alert option. 


You add the performance counter, threshold value, and whether the alert should be trig- 
gered if the value exceeds or falls below the set value. When you create an alert by default, 
it adds an event to the event log only when it is triggered. This is useful if you have tools that 
allow you to extract this information from the event log and use the information as a way of 
tracking when alerts occur. You can also configure an alert to run a scheduled task when it is 
triggered. You can do this by editing the properties of the alert and by specifying the name of 
the scheduled task on the Task tab. 


NEED MORE REVIEW? PERFORMANCE MONITOR 


You can learn more about Performance Monitor at https://docs.microsoft.com/en-us/ 
troubleshoot/windows-server/performance/performance-overview. 
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Create and configure data collector sets 


Data collector sets enable you to gather performance data, system configuration information, 
and statistics into a single file. You can use Performance Monitor or other third-party tools 

to analyze this information to determine how well a server is functioning against an assigned 
workload. 


You can configure data collector sets to include the following: 


Performance counter data The data collector set includes not only specific perfor- 
mance counters, but also the data generated by those counters. 


Event trace data Enables you to track events and system activities. Event trace data 
can be useful when you need to troubleshoot misbehaving applications or services. 


System configuration information Enables you to track the state of registry keys 
and record any modifications made to those keys. 


Windows Server includes the following built-in data collector sets: 


Active Directory Diagnostics Available if you have installed the computer as a 
domain controller; it provides data on Active Directory health and reliability. 


System Diagnostics Enables you to troubleshoot problems with hardware, drivers, 
and STOP errors. 


System Performance Enables you to diagnose problems with sluggish system per- 
formance. You can determine which processes, services, or hardware components might 
be causing performance bottlenecks. 


To create a data collector set, perform the following steps: 


Open Performance Monitor from the Tools menu of the Server Manager console. 
Expand Data Collector Sets. 


Select User Defined. On the Action menu, select New and then select Data 
Collector Set. 


You are given the option to create the data collector set from a template, which enables 
you to choose from an existing data collector set, or to create a data collector set manu- 
ally. If you choose to create a data collector set manually, you have the option to create 
a data log, which can include a performance counter, event trace data, and system 
configuration information, or to create a performance counter alert. 


If you select to create data logs and select Performance Counter, next choose which 
performance counters to add to the data collector set. You can also specify how often 
Windows should collect data from the performance counters. 

If you choose to include event trace data, you need to enable event trace providers. A 
large number of event trace providers are available with Windows Server 2019. You use 
event trace providers when troubleshooting a specific problem. For example, the Micro- 
soft Windows-AppLocker event trace provider helps you diagnose and troubleshoot 
issues related to AppLocker. 
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7. Ifyou choose to monitor system configuration information, you can select registry keys 
to monitor. Selecting a parent key enables you to monitor all registry changes that occur 
under that key while the data collector set is running. 


8. Next, specify where you want data collected by the data collector set to be stored. The 
default location is the %systemdrive%\PerfLogs\Admin folder. If you intend to run the 
data collector set for an extended period of time, you should store the data on a volume 
that is separate from the one hosting the operating system because this ensures that 
you don't fill up your system drive by mistake. 


9. The final step in setting up a data collector set is to specify the account under which the 
data collector set runs. The default is Local System, but you can configure the data col- 
lector set to use any account that you have the credentials for. 


You can schedule when a data collector set runs by configuring the Schedule tab of a data 
collector set's properties. 


NEED MORE REVIEW? DATA COLLECTOR SETS 


You can learn more about data collector sets at https://docs.microsoft.com/en-us/ 
previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc749337(v=ws.11). 


Monitor servers using Windows Admin Center 


Windows Admin Center includes performance monitoring functionality that is similar to the 
traditional Performance Monitor console. Both versions of Performance Monitor can use the 
same performance counters, but the Windows Admin Center version is designed to be able to 
connect to remote servers to simplify the process of remote performance monitoring. Perfor- 
mance Monitor in Windows Admin Center can show data in line format, report, min-max, and 
heatmap (shown in Figure 5-2). 


Windows Admin Center Server Manager Microsoft 
twt-wac.tailwindtraders.internal 


Performance Monitor > Processor prevew 


P Pause = Save Settings 

a 

kad Object Instance Counter Graph type 
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FIGURE 5-2 Windows Admin Center Performance Monitor heatmap 
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NEED MORE REVIEW? WINDOWS ADMIN CENTER ALERTS 


You can learn more about alerts in Windows Admin Center at https://docs.microsoft.com/ 
en-us/windows-server/manage/windows-admin-center/azure/azure-monitor. 


Monitor by using System Insights 


System Insights is a predictive analytics tool for Windows Server that predicts, using machine 
learning, when a server's current resource capacity will be exceeded. By default, System 
Insights can predict future resource consumption for compute, networking, and storage. Sys- 
tem Insights needs approximately 180 days of data to be able to make a prediction for the next 
60 days. System Insights also includes the ability for third parties to include add-ons. System 
Insights will provide the following prediction status indicators: 


= OK Forecast indicates capacity will not be exceeded. 

= Warning Forecast predicts that capacity will be exceeded within 30 days. 
m Critical Forecast predicts that capacity will be exceeded in the next 7 days. 
m Error An unexpected error has occurred. 


= None Not enough data has been collected to make a forecast. 


NEED MORE REVIEW? SYSTEM INSIGHTS 


You can learn more about System Insights at https://docs.microsoft.com/en-us/ 
windows-server/manage/system-insights/overview. 


Manage event logs 


Event Viewer enables you to access recorded event information. Not only does Windows Server 
offer the application, security, setup, and system logs, but it also contains separate application 
and service logs. These logs are designed to provide information on a per-role or per-application 
basis, rather than having all application and role service-related events funneled into the appli- 
cation log. When searching for events related to a specific role service, feature, or application, 
check to see whether that role service, feature, or application has its own application log. 


Event log filters 


Filters and event logs enable you to view only those events that have specific characteristics. 
Filters only apply to the current Event Viewer session. If you constantly use a specific filter or set 
of filters to manage event logs, you should instead create a custom view. Filters only apply toa 
single event log. You can create log filters based on the following properties: 


m Logged Enables you to specify the time range for the filter. 


m EventLevel Enables you to specify event levels. You can choose the following options: 
Critical, Warning, Verbose, Error, and Information. 
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Event Sources Enables you to choose the source of the event. 


Event IDs Enables you to filter based on event ID. You can also exclude specific 
event IDs. 


Keywords Enables you to specify keywords based on the contents of events. 
User Enables you to limit events based on user. 


Computer Enables you to limit events based on the computer. 


To create a filter, perform the following steps: 


= 


2 
3. 
4 


Open Event Viewer and select the log that you want to filter. 
Determine the properties of the event that you want to filter. 
In the Actions pane, select Filter Current Log. 


In the Filter Current Log dialog box, specify the filter properties. 


Event log views 


Event log views enable you to create customized views of events across any event log stored 
on a server, including events in the forwarded event log. Rather than looking through each 
event log for specific items of interest, you can create event log views that target only those 
specific items. For example, if there are certain events that you always want to look for, create a 
view and use the view rather than comb through the event logs another way. By default, Event 
Viewer includes a custom view named Administrative Events. This view displays critical, warn- 
ing, and error events from a variety of important event logs such as the application, security, 
and system logs. 


Views differ from filters in the following ways: 


Persistent You can use a view across multiple Event Viewer sessions. If you configure a 
filter on a log, it is not available the next time you open the Event Viewer. 


Include multiple logs A custom view can display events from separate logs. Filters 
are limited to displaying events from one log. 


Exportable You can import and export event log views between computers. 


The process for creating an event log view is similar to the process for creating a filter. The 
primary difference is that you can select events from multiple logs, and you give the event log 
view a name and choose a place to save it. To create an event log view, perform the following 


steps: 
1. 
2. 


Open Event Viewer. 


Select the Custom Views node and then select Create Custom View from the Actions 
menu. 


In the Create Custom View dialog box, select the properties of the view, including: 
m When the events are logged 
m The event level 


m Which event log to draw events from 
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m Event source 
m Task category 
m Keywords 

m User 

= Computer 


4. Inthe Save Filter To Custom View dialog box, enter a name for the custom view and a 
location to save the view in. Select OK. 


5. Verify that the new view is listed as its own separate node in the Event Viewer. 


You can export a custom event log view by selecting the event log view and selecting 
Export Custom View. Exported views can be imported on other computers running Windows 
Server. 


Event subscriptions 


Event log forwarding enables you to centralize the collection and management of events from 
multiple computers. Rather than having to examine each computer's event log by remotely 
connecting to that computer, event log forwarding enables you to do one of the following: 


= Configure a central computer to collect specific events from source computers. Use this 
option in environments where you need to consolidate events from only a small number 
of computers. 


= Configure source computers to forward specific events to a collector computer. Use this 
option when you have a large number of computers that you want to consolidate events 
from. You configure this method by using Group Policy. 


Event log forwarding enables you to configure the specific events that are forwarded to 
the central computer. This enables the computer to forward important events. It isn't neces- 
sary, however, to forward all events from the source computer. If you discover something from 
the forwarded traffic that warrants further investigation, you can log on to the original source 
computer and view all the events from that computer in a normal manner. 


Event log forwarding uses Windows Remote Management (WinRM) and the Windows Event 
Collector (wecsvc). You need to enable these services on computers that function as event for- 
warders and event collectors. You configure WinRM by using the winrm quickconfig command 
and you configure wecsvc by using the wecuti1 qc command. If you want to configure sub- 
scriptions from the security event log, you need to add the computer account of the collector 
computer to the local Administrators group on the source computer. 


To configure a collector-initiated event subscription, configure WinRM and Windows Event 
Collector on the source and collector computers. In the Event Viewer, configure the Subscrip- 
tion Properties dialog box with the following information: 


= Subscription Name The name of the subscription. 


= DestinationLog The log where collected events are stored. 
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= Subscription Type and Source Computers: Collector Initiated Use the Select 
Computers dialog box to add the computers that the collector retrieves events from. 
The collector must be a member of the local Administrators group or the Event Log 
Readers group on each source computer, depending on whether access to the security 
log is required. 

m Events to Collect Create a custom view to specify which events are retrieved from 
each of the source computers. 


If you want to instead configure a source computer-initiated subscription, you need to con- 
figure the following Group Policies on the computers that act as the event forwarders: 


= Configure Forwarder Resource Usage This policy determines the maximum event 
forwarding rate in events per second. If this policy is not configured, events are trans- 
mitted as soon as they are recorded. 


= Configure Target Subscription Manager This policy enables you to set the location 
of the collector computer. 


Both of these policies are located in the Computer Configuration\Policies\Administrative 
Templates\Windows Components\Event Forwarding node. When configuring the subscription, 


you must also specify the computer groups that hold the computer accounts of the computers 
that are forwarding events to the collector. 


Event-driven tasks 


Event Viewer enables you to attach tasks to specific events. A limitation to the process of creat- 
ing event-driven tasks is that you need to have an example of the event that triggers the task 
already present in the event log. Events are triggered based on an event having the same log, 
source, and event ID. 

To attach a task to a specific event, perform the following steps: 

1. Open Event Viewer. Locate and select the event that you want to base the new task on. 


2. Inthe Event Viewer Actions pane, select Attach Task To This Event. The Create Basic 
Task Wizard opens. 


3. On the Create A Basic Task page, review the name of the task that you want to create. By 
default, the task is named after the event. Select Next. 

4. On the When An Event is Logged page, review the information about the event. This 
lists the log that the event originates from, the source of the event, and the event ID. 
Select Next. 

5. Onthe Action page, you can choose the task to perform. The Send An E-Mail and Dis- 
play A Message tasks are deprecated, and you receive an error if you try to create a task 
using these actions. Select Next. 


6. On the Start A Program page, specify the program or script that should be automatically 
triggered as well as additional arguments. 
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7. After you create the task, you can modify the task to specify the security context under 
which the task executes. By default, event tasks only run when the user is signed on, but 
you can also choose to configure the task to run whether the user is signed on or not. 


NEED MORE REVIEW? MANAGE EVENT LOGS 


You can learn more about managing event logs at https://docs.microsoft.com/en-us/ 
previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc722404(v=ws.11). 


Deploy Azure Monitor and Log Analytics agents 

Azure Monitor allows you to collect, analyze, and respond to telemetry from a variety of Azure 
resources as well as Windows Server VMs that are connected through the Azure Monitor or 
Log Analytics agent. 


Azure Monitor agents 

One confusing element is the ongoing shift in naming of the various agents used by Azure 
Monitor and Log Analytics. At various points the agents used have had different names and 
different functionality. Some documentation will refer to OMS agents, others Azure Monitor 
agents, and some Log Analytics agents. 

= Azure Monitor agent The most recent version of the agent consolidates features 
from all prior agents. 

m Log Analytics agent This agent can be deployed on Azure laaS VMs or Windows 
Server instances in hybrid environments. Data from the Log Analytics agent is ingested 
by Azure Monitor logs. The Log Analytics agent will be deprecated by Microsoft in 
August 2024. 

= Azure Diagnostics extension This is only used with Azure laaS VMs. The Azure Diag- 
nostics extension collects data related to Azure Storage, Azure Event Hubs, and Azure 
Monitor. 


NEED MORE REVIEW? AZURE MONITOR AGENT FAQ 


You can learn more about the different Azure Monitor agents at https://docs.microsoft.com/ 
en-us/azure/azure-monitor/faq#azure-monitor-agent. 


Installing the agent 


Installing the Azure Monitor or Log Analytics agent requires both the Log Analytics workspace 
ID and the key for the Log Analytics workspace. You can download the agent from the Log 
Analytics workspace directly and install using the wizard, where you enter the workspace ID 
and primary key, or from the command line, where you pass these values through in the instal- 
lation command. 
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Network reguirements 


The Log Analytics agent needs to be able to connect either directly or via proxy to the follow- 
ing hosts on the internet via port 443: 


m *.ods.opinsights.azure.com 
m *oms.opinsights.azure.com 
m *blob.core.windows.net 
m *.azure-automation.net 


You can also configure a Log Analytics gateway to allow connections between Log Analytics 
agents and Azure Monitor. The Log Analytics gateway is an HTTP forward proxy that sends data 
to Azure Automation and Log Analytics workspace. You use the Log Analytics gateway if you 
restrict which hosts can communicate from your on-premises network. Rather than having each 
host communicate with the Log Analytics workspace in Azure, traffic is routed from each host 
to the gateway that functions as a proxy. The Log Analytics gateway is only for log agent activity 
and does not support Azure Automation features such as runbooks and update automation. 


NEED MORE REVIEW? LOG ANALYTICS AGENT 


You can learn more about the Log Analytics agent at https://docs.microsoft.com/en-us/azure/ 
azure-monitor/agents/agent-windows. 


Collect performance counters to Azure 


Rather than sending all possible telemetry from an on-premises server to Azure, data collection rules 
allow you to specify how data should be collected before it is transmitted to Azure Monitor logs. 


Standard data collection rules collect and send data to Azure Monitor. To create a data col- 
lection rule, perform the following general steps: 


1. In Azure Monitor, select Data Collection Rules and then select Create. 


2. Provide a rule name, subscription, resource group, and region, and set the platform type 
to Windows. You can also set it to Linux, but that isn’t relevant to the AZ-801 exam. 


3. Onthe Resources page, select the virtual machines or connected servers that you wish 
to associate with the data collection rule. 


4. Select which data you want to collect. Here you select the performance counters with 
the option of selecting a particular set of objects as well as a sampling rate. You can also 
select events to collect from event logs using this method. 


5. On the Destination page, select where you want to deploy data. You can send data to 
multiple Log Analytics workspaces. 


NEED MORE REVIEW? COLLECT PERFORMANCE COUNTERS TO AZURE 


You can learn more about collecting performance counters to Azure at https:// 
docs.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-overview. 
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Create alerts 


You can use Log Analytics queries to check logs periodically and to send alerts using Azure 
Monitor log alerts. Alerts have the following three elements: 


= Target The Azure resource you want to monitor 

= Criteria How to evaluate the resource 

m Action Notifications or automation. Send an email, webhook, or run automation. 
To create a new Azure Monitor alerts rule: 
1. Inthe portal, select the relevant resource and then in the Resource menu select Logs. 
2. Write a query that will locate the log events for which you want to trigger an alert. 
3. From the top command bar, select + New Alert rule. 

The Condition tab opens, populated with your log query. 


4. Inthe Measurement section, select values for the Measure, Aggregation type, and 
Aggregation granularity fields. 


5. Inthe Alert Logic section, set the Alert logic: Operator, Threshold Value, and 
Frequency. 


The Preview chart shows query evaluations results over time. 
6. You can select the Review + create button at any time. 
7. Onthe Actions tab, select or create the required action groups. 


8. On the Details tab, define the Project details and the Alert rule details. 


NEED MORE REVIEW? CREATE ALERTS IN AZURE MONITOR 


You can learn more about creating alerts at https://docs.microsoft.com/en-us/azure/ 
azure-monitor/alerts/alerts-log. 


Monitor Azure Virtual Machines by using Azure 
Diagnostics extension 


The Azure Diagnostics extension is an agent for Azure Monitor that collects monitoring data 
from an Azure laaS VM. The Diagnostics extension is used to: 


m Collect guest metrics information to Azure Monitor metrics 
= Forward guest logs and metrics to Azure Storage for archive 


= Forward guest logs and metrics to Azure event hubs, where that information can be 
sent outside Azure 


The Azure Diagnostics extension and the Log Analytics agent are both able to collect moni- 
toring data from Azure laaS VMs. You can use either or both concurrently. The primary differ- 
ences between the Azure Diagnostics extension and the Log Analytics agent include: 
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You can only use the Diagnostics extension with Azure laaS VMs. You can use Log 
Analytics in hybrid environments with on-premises Windows Server instances. 


The Azure Diagnostics extension sends data to Azure Storage (blogs and tables), Azure 
Monitor Metrics, and Event Hubs. Log Analytics collects data to Azure Monitor logs. 


The Log Analytics agent is required for VM Insights and Microsoft Defender for Cloud. 


The Azure Diagnostics extension can collect the following data on a Windows Server Azure 


laaS VM: 
= Windows Event logs 
m Performance counters 
m IIS logs 
m Application logs 
m .NET EventSource logs 
m Event tracing for Windows 
m Crash dumps 
m File-based logs 
m Agent diagnostic logs 


You install the Diagnostics extension in the Azure portal under Diagnostic settings in the 
Monitoring section of the virtual machine’s menu. 


NEED MORE REVIEW? AZURE DIAGNOSTICS EXTENSION 


You can learn more about Azure Diagnostics extension at https://docs.microsoft.com/en-us/ 


azure/azure-monitor/agents/diagnostics-extension-overview. 


Monitor Azure Virtual Machines performance by 
using VM Insights 


VM Insights allows you to monitor the performance and health of virtual machines. You can 
examine processes that are running on those computers as well as the dependencies that exist 
to other resources. You can use VM Insights to determine if performance bottlenecks exist and 
if network issues are impacting workload functionality. 


VM Insights stores data in Azure Monitor logs. This allows you to view data from a single 
VM or to leverage the functionality of Azure Monitor to examine data across multiple Azure 
laaS VMs. 


To deploy Azure VM Insights, you need to perform the following general steps: 


1. 
2; 


Create a Log Analytics workspace. 


Add VM Insights to the workspace. You can do this by selecting Workspace Configu- 
ration after selecting one or more virtual machines from the list of virtual machines 
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in the Monitor menu of the Azure portal. This installs the VMInsights solution to the 
workspace. 


3. Install VM Insights on each virtual machine or on-premises connected machine. VM 
Insights requires the Log Analytics agent and the Dependency agent. 


NEED MORE REVIEW? VM INSIGHTS 


You can learn more about VM Insights at https://docs.microsoft.com/en-us/azure/ 
azure-monitor/vm/vminsights-overview. 


EXAM TIP 


Remember to add a process object to a data collector set if you suspect a certain application 
is responsible for consuming excessive processor resources. 


Skill 5.2: Troubleshoot Windows Server on-premises 
and hybrid networking 


Hybrid cloud only works when on-premises resources can communicate seamlessly with 
resources in Azure and resources in Azure can seamlessly communicate with resources on- 
premises. Sometimes communication between these two locations becomes disrupted, and 
you need to find the appropriate tools to diagnose what has gone wrong. 


This section covers how to: 
= Troubleshoot hybrid network connectivity 
m Troubleshoot Azure VPN 


= Troubleshoot on-premises connectivity 


Troubleshoot hybrid network connectivity 


Troubleshooting hybrid connectivity can be a challenge because it may not entirely be clear 
how traffic should pass back and forth between on-premises and cloud resources even when 
everything is functioning correctly. While you can use Azure Network Watcher to diagnose 
hybrid network problems, you should also use it before things go wrong so that you can 
understand what telemetry is generated when things are functioning normally. Azure Network 
Watcher provides three monitoring tools: 


= Topology The Network Watcher Topology tool generates graphical displays of your 
Azure virtual networks and the resources deployed on those networks. You can use this 
tool at the beginning of the troubleshooting process by allowing yourself to visualize all 
elements involved in the problem that you are troubleshooting. 
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Connection Monitor This tool allows you to verify that connections work between 
Azure resources such as laaS VMs. 


Network Performance Monitor This tool allows you to track latency and packet 
loss. You can configure alerts to trigger when latency and packet loss exceed particular 
thresholds. 


Network Watcher is useful for troubleshooting hybrid network connectivity by providing 
the following six tools: 


IP flow verify Lets you determine whether packets are allowed or denied to a specific 
laaS virtual machine. This tool provides information about which network security 
group is causing the packet to be dropped. 


Next hop Allows you to determine the route a packet takes from a source IP address 
to a destination IP address. It is useful in determining if routing tables for Azure virtual 
networks are incorrectly configured. If two laaS hosts cannot communicate or an laaS 
host cannot communicate with an on-premises host, this tool can help you determine if 
routing configuration is the issue. 


Effective security rules Allows you to determine which specific rule in a set of net- 
work security group rules applied in multiple locations is blocking or allowing specific 
network traffic. 


Packet capture Allows you to record all network traffic sent to and from an laaS VM. 


Connection troubleshoot Allows you to check TCP connectivity between a source 
and destination VM. 


VPN troubleshoot Allows you to troubleshoot problems with virtual network gate- 
way connections. This tool is covered in more detail in the next section. 


NEED MORE REVIEW? TROUBLESHOOT HYBRID NETWORKING 


You can learn more about troubleshooting hybrid networking at https://docs.microsoft.com/ 
en-us/learn/modules/troubleshoot-premises-hybrid-networking/. 


Troubleshoot Azure VPN 


The first port of call when troubleshooting an Azure VPN is the VPN troubleshoot utility 
included with Azure Network Watcher. You can use this tool to troubleshoot VPN gateways 
and connections. The capability can be called through the portal, PowerShell, Azure CLI, or 
REST API. When called, Network Watcher diagnoses the health of the gateway, or connection, 
and returns the appropriate results. The request is a long-running transaction. The preliminary 
results returned give an overall picture of the health of the resource. 


The following list contains the values returned with the troubleshoot API: 


startTime This value is the time the troubleshoot API call started. 


endTime This value is the time when the troubleshooting ended. 
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m code This value is UnHealthy, if there is a single diagnosis failure. 


= results Results is a collection of results returned on the connection or the virtual 
network gateway. 


m id This value is the fault type. 
= summary This value is a summary of the fault. 
= detailed This value provides a detailed description of the fault. 


m recommendedActions This property is a collection of recommended actions 
to take. 


= actionText This value contains the text describing what action to take. 
m actionUri This value provides the URI to documentation on how to act. 


m actionUriText This value is a short description of the action text. 


NEED MORE REVIEW? TROUBLESHOOT AZURE VPN 


You can learn more about troubleshooting Azure VPN at https://docs.microsoft.com/en-us/ 
azure/vpn-gateway/vpn-gateway-troubleshoot. 


VPN client troubleshooting 


If you are using the VPN client to allow a host to access resources on an Azure virtual network 
and you then make a change to the topology of your Azure virtual network, such as adding 
new resources on the extended network or configuring network peering, you will need to 
re-download the VPN client and reinstall it to access those resources. This is because the VPN 
client is configured for the network topology at the time you download and install it and will 
be reconfigured as that network topology changes. Downloading a new version of the VPN 
client and reinstalling it will resolve many problems related to point-to-site VPNs as this will 
ensure you have the most current certificates. 


Other point-to-site VPN problems can include: 

m If you are notified that the message received was unexpected or badly formatted, check 
if the user-defined routes for the default route on the gateway subnet are configured 
correctly and that the root certificate public key is present in the Azure VPN gateway. 

m There is a limit to the number of VPN clients that can be connected simultaneously that 
depends on the VPN gateway SKU. Once the maximum number is reached, new connec- 
tions cannot be established unless an existing connection is terminated. 

m Ifthe VPN client cannot access network file shares when connected via point-to-site 
VPN, you may need to disable the caching of domain credentials on the client. 

m If the point-to-site VPN client is unable to resolve the FQDN of on-premises domain 
resources, you'll need to update the DNS settings for the Azure virtual network. 
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By default, these will be set to Azure DNS servers. You will have to alter them so 
that they point to a DNS server that can resolve or forward queries for on-premises 
resources as well as Azure resources. The simplest method of doing this is to deploy 
your own DNS server on the Azure virtual network. 


NEED MORE REVIEW? POINT-TO-SITE TROUBLESHOOTING 


You can learn more about troubleshooting point-to-site Azure VPNs at https://docs.microsoft 


.com/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-vpn-point-to-site-connection- 


problems. 


Troubleshoot Azure site-to-site VPN 


Azure site-to-site VPNs are used to connect on-premises networks to Azure. You should take 
the following steps to troubleshoot site-to-site VPNs: 


Ensure the VPN device used for the on-premises side of the VPN connection is validated. 


This can be done on the Overview page of the VPN gateway. 

Ensure that the shared key for the on-premises VPN devices matches that used by the 
Azure VPN gateway. 

Verify that the IP definition for the Local Network Gateway object in Azure matches the 
IP address assigned to the on-premises device. 

Ensure that the Azure gateway IP definition configured on the on-premises device 
matches the IP address assigned to the Azure gateway. 

Verify that the virtual network address spaces match between the Azure virtual network 
and the on-premises network configuration. 

Verify that subnets match between the local network gateway and on-premises defini- 


tion for the on-premises network. 


Run a health probe by navigating to the URL 
https://< MyVirtualNetworkGateway!P>:8081/healthprobe and review the certificate 
warning. If you receive a response, the VPN gateway is considered healthy. 


NEED MORE REVIEW? SITE-TO-SITE VPN TROUBLESHOOTING 


You can learn more about troubleshooting site-to-site Azure VPNs at https://docs.microsoft.com/ 


en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-site-to-site-cannot-connect. 


Troubleshoot on-premises connectivity 


The main causes of network connectivity problems are: 


m IP address misconfigurations Check that the IP address, subnet mask, and default 


gateway are correctly configured. A host can have limited connectivity if the subnet 
mask and default gateway are incorrectly configured. 
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Routing failures Some connectivity problems occur because traffic cannot 
seamlessly pass back and forth between on-premises and cloud workloads. This may 

be because topologies in either network have changed without VPNs and routing tables 
being updated. 


Name resolution failures Check that the names assigned to resources in on- 
premises and cloud locations can be resolved in both locations. Failures can be due to 
incorrect client DNS server configuration or to misconfiguration and failures of the DNS 
servers or services themselves. 


Hardware failure Check that cables are plugged in and functioning (sometimes a 
plugged-in cable has failed so always swap with another). If a router or switch has failed, 
multiple clients will be impacted. 


You can use the following command-line and PowerShell utilities to diagnose problems with 
on-premises networks: 


Ping.exe Allows you to check ICMP connectivity between two hosts. Use Test- 
NetConnection in PowerShell to perform similar tasks. 


Tracert.exe Allows you to check the path between two hosts on different subnets. 
Pathping.exe A combination of ping and traceroute that allows you to view connec- 


tivity and route information. Use Test-NetConnection in PowerShell to perform similar 
tasks. 

Netstat.exe Allows you to view network connection information for the local host. 
Use Get-NetTCPConneciton in PowerShell to perform similar tasks. 

Arp.exe Allows you to manage the contents of the Address Resolution Protocol cache 
that maps IP addresses to physical addresses. 

Ipconfig.exe Allows you to view IP address configuration information. You can use 
Get-NetIPAddress and Clear-DNSClientCache to perform some of the same tasks from 
PowerShell. 

Nslookup.exe Allows you to perform DNS queries. Use Resolve-DNSName in PowerShell 
to perform similar tasks. 

Route.exe Manage routing information. You can use Get-NetRoute to perform similar 
tasks from PowerShell. 


NEED MORE REVIEW? TROUBLESHOOT WINDOWS SERVER NETWORKING 


You can learn more about troubleshooting Windows Server networking at https:// 


docs.microsoft.com/en-us/troubleshoot/windows-server/networking/networking-overview. 


Troubleshoot DNS 


DNS troubleshooting can be separated into two broad categories: client-side problems and 
server-side problems. If only one person in your organization has a problem that is DNS 
related, then it's probably a client-side problem. If multiple clients have a problem, then it’s 
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probably a server issue. If you experience client-side problems, check which DNS servers the 
client is configured to use and use the appropriate PowerShell or command-line utilities to 
diagnose DNS server functionality. 

You can use the following PowerShell and command-line utilities to diagnose DNS 
problems: 

= Resolve-DNSName Attempts to perform DNS resolution using the servers con- 


figured for use by the DNS client. You can use it to attempt to resolve FQDNs and IP 
addresses. You can use the -Server parameter to specify an alternate server. This allows 


you to determine if a resolution problem is specific to a DNS server. This command is the 


PowerShell equivalent of nslookup.exe. 

= Nslookup.exe Allows you to perform DNS resolution queries. Nslookup.exe is a 
cross-platform utility that allows you to perform lookups against local and remote DNS 
servers based on FQDN or IP address. 


m Get-DNSClient Use this PowerShell command to determine which DNS servers are 
used by a network interface. 
= Ipconfig /all Use this command to determine which DNS servers are used by the 
computer. This is the older command-line utility that also works to extract DNS 
server information. 


m Clear-DNSClientCache Removes all entries in the client's DNS cache. Use this if a 
host's address might have changed but the client is still using a cached DNS record. 
After clearing the cache, a new DNS query will occur and the most recent DNS record 
will be retrieved. 
= Ipconfig /flushdns This is the older command-line utility that removes all entries 

in the client's DNS cache. 

Common DNS server problems you might need to troubleshoot include: 

m DNS records are missing in a DNS zone. Depending on how DNS scavenging is config- 
ured, DNS records can be removed from a DNS zone if they are dynamically created or 
the NoRefresh and Refresh intervals are set too low. Additional causes of DNS records 
disappearing are: 


m In IPv6 environments, if DHCP option 81 is configured, DNS A records may be deleted 


when AAAA records are registered. 


m When active dynamic DHCP leases are converted to reservations, the A and PTR 
records are deleted by design. You will need to manually create these records. 


m Query response delays can occur if forwarders or conditional forwarders are no longer 


reachable. You should regularly check if DNS servers that are configured as the target of 


forwarders or conditional forwarders are able to resolve DNS queries. 


If DNS zones are Active Directory integrated and records that are present on other domain 
controllers that also host the DNS role are not present on the local domain controller, check 
that there are no issues blocking Active Directory replication. 
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DNS SERVER TESTS 


You can configure a DNS server to perform manual or automatic tests on the Monitoring tab of 
the DNS server's properties, as shown in Figure 5-3. 


TWT-DC Properties ? x 
interfaces Forwarders Advanced Root Hints 
Debug Logging Event Logging Monitoring Security 
To verity the configuration of the server, you can perform manual or 
automatic testing 
Select a test type’ 


[AA simple query against this DNS server 
Z) A recursive query to other ONS servers 


To perform the test immediately, cick Test Now Test Now 


C Perform automatic testing at the following intervat 


Test interval: || minutes 
Test results: 
Date Time Sample Query Recursive Q. 
6/27/2022 10:38:29 PM Pass Pass 
6/27/2022 10:38:25PM Pass 


oe im ie 


FIGURE 5-3 DNS Monitoring 


You can configure the DNS server to perform simple queries, where it will attempt to 
resolve a DNS query against itself and also a recursive query against other DNS servers that it 
is configured to use in its client settings. You can configure these tests to occur on a periodic 
basis and view the results either in this dialog box or in the DNS event logs. 


DNS EVENT LOGS 


The DNS server log is located in the Applications and Services Logs folder in Event Viewer. 
Depending on how you configure event logging on the Event Logging tab of the DNS server's 
properties this event log records information, including: 


m Changes to the DNS service—for example, when the DNS server service is stopped or 
started. 


m Zone loading and signing events. 
= Modifications to DNS server configuration. 
m DNS warning and error events. 


By default, the DNS server records all these events. It's also possible to configure the DNS 
server to only log errors, or errors and warning events. The key with any type of logging is that 


you should only enable logging for information that you might need to review at some time. 


Many administrators log everything “just in case,” even though they will only ever be interested 
in a specific type of event. 
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In the event that you need to debug how a DNS server is performing, you can enable debug 
logging on the Debug Logging tab of the DNS server's properties dialog box. Debug logging 
is resource intensive, and you should only use it when you have a specific problem related to 
the functionality of the DNS server. You can configure debug logging to use a filter so that only 
traffic from specific hosts is recorded, rather than traffic from all hosts that interact with the 
DNS server. 


DNS SOCKET POOL 

DNS socket pool is a technology that makes cache-tampering and spoofing attacks more dif- 
ficult by using source port randomization when issuing DNS queries to remote DNS servers. To 
spoof the DNS server with an incorrect record, the attacker needs to guess which randomized 
port was used as well as the randomized transaction ID issued with the query. A DNS server 
running on Windows Server uses a socket pool of 2,500 by default. You can use the dnscmd 
command to vary the socket pool between 0 and 10,000. For example, to set the socket pool 
size to 4,000, issue the following command: 


dnscmd /config /socketpoolsize 4000 


You must restart the DNS service before the reconfigured socket pool size is used. 


DNS CACHE LOCKING 

DNS cache locking enables you to control when information stored in the DNS server's cache 
can be overwritten. For example, when a recursive DNS server responds to a query for a record 
that is hosted on another DNS server, it caches the results of that query so that it doesn't have 
to contact the remote DNS server if the same record is queried again within the TTL (Time to 
Live) value of the resource record. DNS cache locking prevents record data in a DNS server's 
cache from being overwritten until a configured percentage of the TTL value has expired. 

By default, the DNS Cache Locking value is set to 100, but you can reset it using the Set-DNS- 
ServerCache cmdlet with the LockingPercent option. For example, to set the Cache Locking 
value to 80%, issue the following command and then restart the DNS server service: 


Set-DNSServerCache -LockingPercent 80 


DNS RECURSION 

DNS servers on Windows Server perform recursive queries on behalf of clients by default. 

This means that when the client asks the DNS server to find a record that isn’t stored in a zone 
hosted by the DNS server, the DNS server goes out and finds the result of that query and 
passes it back to the client. It’s possible for nefarious third parties to use recursion as a denial- 
of-service (DoS) attack vector, slowing a DNS server to the point where it becomes unrespon- 
sive. You might also do this as a part of your troubleshooting process. You can disable recursion 
on the Advanced tab of the DNS server's properties. 
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NETMASK ORDERING 

Netmask ordering ensures that the DNS server returns the host record on the requesting 
client's subnet if such a record exists. For example, imagine that the following host records 
existed on a network that used 24-bit subnet masks: 


m 10.10.10.105 wsus.contoso.com 
m 10.10.20.105 wsus.contoso.com 
m 10.10.30.105 wsus.contoso.com 


If netmask ordering is enabled and a client with the IP address 10.10.20.50 performs a lookup of 
wsus.contoso.com, it is always returned the record 10.10.20.105 because this record is on the same 
subnet as the client. If netmask ordering is not enabled, then the DNS server returns records ina 
round-robin fashion. If the requesting client is not on the same network as any of the host records, 
then the DNS server also returns records in a round-robin fashion. Netmask ordering is useful for 
services such as Windows Server Update Services (WSUS) that you might have at each branch office. 
When you use it, the DNS server redirects the client in the branch office to a resource on the local 
subnet when one exists. Netmask ordering is enabled by default on Windows Server DNS servers. 


ANALYZE ZONE LEVEL STATISTICS 


You can understand how a DNS zone is being utilized by clients by viewing DNS statistics. You 
can do this on computers running the Windows Server operating system by using the Get-Dns- 
ServerStatistics cmdlet. Information that you can view using this cmdlet includes: 


= Cache statistics View information about the number of requests that the DNS server 
satisfies from cache 


m DNSSEC statistics Provides data about successful and failed DNSSEC validations 


= Error statistics Detailed information about the number of errors, including bad keys, 
bad signatures, refusals, and unknown errors 


= Master statistics Contains information about zone transfer statistics 
= Query statistics Information about queries made to the DNS server 


= Record statistics Data about the number of records in the cache and memory 
utilization 


= Recursion statistics Information about how the DNS server solves recursive queries 


You can view statistics related to a specific zone by using the -Zonename parameter. For 
example, if you wanted to view the statistics of the australia.adatum.com zone, you would issue 
the following command from an elevated Windows PowerShell prompt on a computer that 
hosts the DNS server role: 


Get-DnsServerStatistics -Zonename australia.adatum.com 


NEED MORE REVIEW? TROUBLESHOOT WINDOWS SERVER DNS 


You can learn more about troubleshooting Windows Server DNS at https://docs.microsoft.com/ 
en-us/troubleshoot/windows-server/networking/troubleshoot-dns-guidance. 
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Troubleshoot DHCP 


If a client computer has been assigned an APIPA address instead of an address appropriate 
to its network, there is likely something wrong with the DHCP server. If clients are no longer 
receiving DHCP address leases form a DHCP server, check the following: 


m Is the DHCP server service running? You can check this in the services console or by run- 
ning the get-service dhcpserver PowerShell command. 


m Is the DHCP server authorized? You can check the list of authorized DHCP servers 
by using the following PowerShell command (substitute your domain name for tail- 
windtraders.org) from an elevated PowerShell prompt: 


Get-ADObject -SearchBase "“cn=configuration,dc=tailwindtraders,dc=org" -Filter 
"objectclass -eq 'dhcpclass' -AND Name -ne 'dhcproot'" | select name 


m Are IP address leases available? If the scope is exhausted because all IP addresses are 
leased, new clients will be unable to obtain IP addresses. 


= Determine if a DHCP relay is available if clients on remote subnets are unable to acquire 
IP addresses from the DHCP server. Ensure that the DHCP relay can be pinged from the 
DHCP server. 


m Verify that the DHCP server is listening on UDP port 67 and 68. If WDS is deployed on 
the DHCP server, this may interfere with the functioning of the DHCP server role. 


m If IPsec is used in the environment, ensure that the DHCP server is configured with the 
IPsec exemption. 


NEED MORE REVIEW? TROUBLESHOOT WINDOWS SERVER DHCP 


You can learn more about troubleshooting DHCP at https://docs.microsoft.com/en-us/ 
troubleshoot/windows-server/networking/troubleshoot-dhcp-guidance. 


ti EKAM TIP 


A host with an incorrectly configured subnet mask may be able to contact some hosts on the 
same IP subnet but not others. 


Skill 5.3: Troubleshoot Windows Server virtual 
machines in Azure 


The most common workload in Azure is laaS VMs. Running an laaS VM in Azure is differ- 

ent than running a workload in an environment that you fully manage. While most Windows 
Server laaS VMs will run in Azure without any challenges, if everything worked all the time, 
none of us would have jobs in IT because there would be very little to do. This objective details 
the tools and technologies that you can use to diagnose and resolve problems that may occur 
with Windows Server laaS VMs. 


Skill 5.3: Troubleshoot Windows Server virtual machines in Azure 219 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


220 


This section covers how to: 
m Troubleshoot deployment failures 
m Troubleshoot booting failures 
= Troubleshoot VM performance issues 
m Troubleshoot VM extension issues 
m Troubleshoot disk encryption issues 
= Troubleshoot storage 


m Troubleshoot VM connection issues 


Troubleshoot deployment failures 


There are a variety of scenarios where you might be unable to deploy an laaS VM in Azure. 
These include: 


Invalid template error Azure allows you to deploy VMs from Bicep files or Azure 
Resource Manager (ARM) templates. Errors can occur when deploying laaS VMs using 
this method if there is a syntax error present in the Bicep file or template, parameters 
are incorrectly specified, parameters have been assigned an invalid value, or a circular 
dependency exists. A deployment would fail if more than five resource groups were 
referenced in a template, but this limitation has been removed and a deployment can 
include up to 800 resource groups. 


Allocation failure If you get an AllocationFailed or a ZonalAllocationFailed error, 

the datacenter in which the laaS VM is to be deployed may be experiencing resource 
constraints that limit the size of VMs that can be deployed. These errors are gener- 

ally transient as more capacity is added to Azure datacenters. You can also resolve the 
deployment problems by attempting a deployment in another Azure region. Allocation 
failures can also occur when you attempt to start an existing VM that was previously 
deallocated where the VM is configured to use an older VM size that is no longer sup- 
ported. As newer generation hardware is deployed in Azure datacenter, older VM SKUs 
are retired and you will need to resize VMs to a newer supported SKU. 


Quotaerror Each Azure subscription has a quota of CPU cores that can be assigned 
to laaS VMs. If you exceed this quota, you will be unable to deploy new laaS VMs. You 
can choose to either deallocate an existing laaS VM or contact support to have your 
subscription’s CPU core quota increased. 


OS Image error A VM deployment failure will occur if you are attempting to deploy a 
VM from an image that was incorrectly captured. Incorrect capture can occur if appro- 
priate preparation steps are not taken or incorrect settings are configured during the 
capture process. 
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NEED MORE REVIEW? DEPLOYMENT TROUBLESHOOTING 


You can learn more about laaS VM deployment troubleshooting at https://docs.microsoft.com/ 
en-us/azure/azure-resource-manager/troubleshooting/common-deployment-errors. 


Troubleshoot booting failures 


If an Azure laaS VM enters a non-bootable state, you can use Console Output and Screenshot 
support to diagnose the issue. You can enable book diagnostics during VM creation. To enable 
boot diagnostics on an existing laaS virtual machine, perform the following steps: 


1. Open the Virtual Machine in the Azure portal. 

2. Under Help select Boot diagnostics, and then choose Settings. 

3. In Boot Diagnostics Settings, select whether to use a managed storage account or a 
custom storage account. If you choose a custom storage account, you must ensure that 


you choose one that does not use premium storage and that is not configured as zone- 
redundant storage. 


Azure Serial Console 


Azure Serial Console allows you to access a text-based console to interact with laaS VMs 
through the Azure portal. The serial connections connect to the COM1 serial port of the Win- 
dows Server laaS VM and allow access independent of the network or operating system state. 
This functionality replicates the Emergency Management Services (EMS) access that you can 
configure for Windows Server, which you are most likely to use in the event that an error has 
occurred that doesn’t allow you to access the contents of the server using traditional adminis- 
trative methods. 


You can use the Serial Console for an laaS VM as long as the following prerequisites have 
been met: 


= Boot diagnostics are enabled for the laaS VM. 


m The Azure account accessing the Serial Console is assigned the Virtual Machine 
Contributor role for the laaS VM and the boot diagnostics storage account. 


= A local user account is present on the laaS VM that supports password authentication. 


Boot failure messages 


Most boot failure troubleshooting involves looking at the boot diagnostic screenshot of the 
laaS VM, creating a repair VM, creating a snapshot of the failed laaS VM OS disk, mounting 
the snapshot, and using the appropriate tool to resolve the issue on the mounted disk before 
reattaching it to the failed VM. The process to do this is covered later in this chapter. Mounting 


Skill 5.3: Troubleshoot Windows Server virtual machines in Azure 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


221 


222 


a snapshot of the failed VM's OS disk and repairing it allows you to troubleshoot the following 
boot failures: 


Boot Error - Disk Read Error Occurred Mount the OS disk snapshot copy of the 
failed VM on a Repair VM and use diskpart to set the boot partition to active. You 
should run checkdisk /f against the mounted disk image. Dismount the repaired OS 
disk from the repair VM and mount the repaired OS disk on the original VM. 


Checking file system error If the laaS VM boot screenshot shows that Check Disk 
process is running with the message Scanning and repairing drive (C:) or Checking file 
system on C:, then wait to determine whether the check completes successfully, at 
which point the VM may restart normally. If the laaS VM is unable to exit the Check Disk 
process, attach a snapshot of the OS disk to a recovery VM and perform a Check Disk 
operation using chkdsk.exe /f. Dismount the repaired OS disk from the repair VM and 
mount the repaired OS disk on the original VM. 


Critical process disabled If the laaS VM does not boot and boot diagnostics shows 
the error #0x000000EF with the message Critical Process Died, create and access a 
repair VM, mount a snapshot of the failed laaS VM’s boot disk, and run the command 
sfc /scannow /offbootdir=<BOOT DISK DRIVE>:\ /offwindir=<BROKEN DISK DRIVE>:\ 
windows where <BOOT DISK DRIVE> is the boot partition of the broken VM, and 
<BROKEN DISK DRIVE> is the OS partition of the broken VM. Dismount the repaired OS 
disk from the repair VM and mount the repaired OS disk on the original VM. 


Failed boot error code CO1A001D |f the laaS VM cannot boot and boot diagnos- 
tics shows a Windows Update operation in progress that is failing with the error code 
C01A001D, you will need to create and mount a snapshot of the failed laaS VM’s OS disk 
to a recovery VM and delete any unnecessary files before reattaching the snapshot to 
the failed VM. This error is caused when there is not enough space on the OS disk to 
apply updates. 


Failed boot no bootable disk If the laaS VM cannot boot and boot diagnostics 
shows the message This is not a bootable disk. Please insert a bootable floppy and press 
any key to try again..." you should, after considering the use of floppy disks in the cloud, 
mount the OS disk snapshot copy of the failed VM ona repair VM. Use diskpart to set 
the boot partition to active. You should run checkdisk /f against the mounted disk 
image. Dismount the repaired OS disk from the repair VM and mount the repaired OS 
disk on the original VM. 


If the Boot Configuration Data on the failed VM appears corrupted, perform the following 


steps from the repair VM against the mounted OS disk before detaching it and connecting it to 
the failed laaS VM: 


1. 


Enumerate the Windows Boot Loader Identifier with 
bcdedit /store <Boot partition>:\boot\bcd /enum 


Repair the Boot Configuration Data by running the following command, replacing 
<Windows partition> with the partition that contains the Windows folder, 
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<Boot Partition> for the partition that contains the “Boot” system folder, and 
</dentifier> with the value determined in step 1: 


bcdedit /store <Boot partition>:\boot\bcd /set {bootmgr} device partition=<boot 
partition>: 

bcdedit /store <Boot partition>:\boot\bcd /set {bootmgr} integrityservices enable 
bcdedit /store <Boot partition>:\boot\bcd /set {<Identifier>} device 
partition=<Windows partition>: 

bcdedit /store <Boot partition>:\boot\bcd /set {<Identifier>} integrityservices 
enable 

bcdedit /store <Boot partition>:\boot\bcd /set {<identifier>} recoveryenabled Off 
bcdedit /store <Boot partition>:\boot\bcd /set {<identifier>} osdevice 
partition=<Windows partition>: 

bcdedit /store <Boot partition>:\boot\bcd /set {<identifier>} bootstatuspolicy 
IgnoreA11Fai lures 


NEED MORE REVIEW? \AAS VM BOOT 


You can learn more about troubleshooting laaS VM boot at https://docs.microsoft.com/en-us/ 


troubleshoot/azure/virtual-machines/boot-error-troubleshoot. 


Repair VMs and failed boot disks 


You can create a special repair VM from Cloud Shell that provides you with the necessary tools 
to repair a failed boot disk by performing the following steps: 


1. 


Ensure that the az vm repair commands are available by running the command 
az extension add -n vm-repair 


Run the az vm repair create command to create a copy of the failed OS disk, create a 
repair VM in a new resource group, and attach the OS disk copy to the VM. This VM will 
be the same size and region as the nonfunctional VM specified in the command. If the 
failed VM uses Azure Disk Encryption, use the --unlock-encrypted-vm command switch. 
The following command will create a repair VM for the VM named Failed VMName in 
the resource group ResourceGroupName with the admin account prime and the pass- 
word Claused1234: 

Az vm repair create -g ResourceGroupName -n FailedVMName -repair-username prime 
--repair-password ‘Claused1234’ --verbose 

You can then either connect to the repair VM normally through RDP or PowerShell, or 
you can run a repair script using the az vm repair run command. To view the available 
repair scripts, run the following command: 


az vm repair list-scripts 


Once you have fixed the issue that was stopping the VM from booting, run the az vm 
repair restore command to swap the repaired OS disk with the original VM's OS disk. 
For example, to swap the fixed OS disk created in step 2, run this command: 


Az vm repair restore -g ResourceGroupName -n FailedVMName --verbose 
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NEED MORE REVIEW? AZURE VIRTUAL MACHINE REPAIR 


You can learn more about laaS VM repair at https://docs.microsoft.com/en-us/troubleshoot/ 


azure/virtual-machines/repair-windows-vm-using-azure-virtual-machine-repair-commands. 


Troubleshoot VM performance issues 


The performance diagnostics tool allows you to troubleshoot performance issues, includ- 
ing high CPU usage, low disk space, or memory pressure. Diagnostics can be run and viewed 
directly from the Azure portal. To install and run performance diagnostics on a Windows 
Server laaS VM, perform the following steps: 


1. Select the VM that you wish to diagnose. 
2. Inthe VM page, select Performance diagnostics. 


3. Either select an existing storage account or create a new storage account to store per- 
formance and diagnostics data. A single storage account can be used for multiple Azure 
laaS VMs in the same region. 


4. Select Install performance diagnostics. After the installation completes, select Run 
Diagnostics. 
Azure Performance Diagnostics allows you to run several different analysis scenarios. You 
should choose the analysis scenario that best describes the issue you are attempting to diag- 
nose. Scenarios include: 


m= Quick performance analysis Checks for known issues, runs a best practice analysis, 
and collects diagnostics data. 

= Performance analysis Does all the quick performance analysis checks as well as 
examines high resource consumption. Appropriate for diagnosing high CPU, memory, 
and disk utilization. 

= Advanced performance analysis Does all the quick performance analysis and 
performance analysis checks. This analysis is useful for complex issues and runs over a 
longer duration. 

= Azure Files analysis Performs all the checks outlined previously but will also capture 


a network trace and SMB traffic counters. Useful for diagnosing problems related to 
SMB file shares on Azure laaS VMs. 


NEED MORE REVIEW? TROUBLESHOOT VM PERFORMANCE ISSUES 


You can learn more about VM performance at https://docs.microsoft.com/en-us/troubleshoot/ 
azure/virtual-machines/performance-diagnostics. 
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Troubleshoot VM extension issues 


You can view the status of the extensions installed on a VM using the Get-AzvmM PowerShell 
cmdlet from an Azure Cloud Shell session or by viewing the Extensions and Applications area 
on a virtual machine's properties page. You can retrieve information about an Azure laaS VM's 
extension by running the following command from Azure Cloud Shell: 


Get-AzVMExtension -ResourceGroupName $RGName -VMName $vmName -Name $ExtensionName 
When determining whether an issue is caused by an agent or with an extension, the Azure 
VM agent relies on the following three services that must be running: 
m RDAgent 
m Windows Azure Guest Agent 
m Microsoft Azure Telemetry Service 


If you have verified that these three services are running, you can then check c\WindowsA- 
zure\logs\WaAppAgent.log to view information about extensions. Log data will include the 
following extension operations: 


= Enable 
m Install 
m Start 
= Disable 


You can determine if an extension is failing by searching through the WaAppAgent.log for 
the word “error.” You can also troubleshoot extensions by examining each extension’s logs. 
Each extension has its own log files in an laaS VM's C\WindowsAzure\logs\Plugins folder. 
Extension settings and status files are stored in the C:\Packages\Plugins folder on a VM. The 
Azure Diagnostics Extension writes data to an Azure storage account. The diagnostics exten- 
sion does not write data to a Log Analytics workspace. 


NEED MORE REVIEW? VM EXTENSION ISSUES 


You can learn more about troubleshooting VM extension issues at https://docs.microsoft.com/ 
en-us/troubleshoot/azure/virtual-machines/support-agent-extensions. 


Troubleshoot disk encryption issues 


Disk encryption errors generally occur when the encryption keys, stored in a key vault, become 
inaccessible to an laaS VM due to a configuration change. When troubleshooting Azure laaS 
VM disk encryption issues, ensure the following: 


m Ensure that network security groups allow the VM to connect to Azure Active Directory 
endpoints and Azure Key Vault endpoints. 


m Ensure that the Azure Key Vault is located in the same Azure region and subscription as 
the laaS VM. 
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m Verify that the Key Encryption Key (KEK) is still present and has not been removed from 
Azure Key Vault. 


m Ensure that the VM name, data disks, and keys adhere to Key Vault resource naming 
restrictions. 

You can use the Disable-AzVMDiskEncryption cmdlet followed by the Remove-AzVMDiskEn- 
cryptionExcention cmdlet from an Azure Cloud Shell PowerShell session to disable and remove 
Azure Disk Encryption. You can use the az vm encryption disable Azure CLI command from an 
Azure Cloud Shell session to disable Azure VM disk encryption. 


If you encounter BitLocker errors that block the OS disk from booting, you can decrypt the 
OS disk by deallocating the VM and then starting it. When you do this, the Backup Encryption 
Key (BEK) file is recovered from the Azure Key Vault and placed on the encrypted disk. 


NEED MORE REVIEW? \AAS VM DISK ENCRYPTION 


You can learn more about laaS VM disk encryption at https://docs.microsoft.com/en-us/azure/ 
virtual-machines/windows/disk-encryption-overview. 


Troubleshoot storage 


The main disk roles for Azure laaS VMs are the operating system disk, data disks, and tempo- 
rary disks. These have the following properties: 


m The operating system (OS) disk hosts the Windows Server operating system. An Azure 
laaS OS disk has a maximum capacity of 4,095 gigabytes. You cannot extend an OS disk 
if Azure Disk Encryption is enabled. Generation 2 VMs support GPT and MBR partition 
types on the OS disk. 


m Data disks are managed disks that are attached to an Azure laaS VM and are registered 
as SCSI drives. Data disks have a maximum capacity of 32,767 gigabytes. Multiple data 
disks can be combined using storage spaces to support larger volumes. The number of 
data disks that can be attached to an Azure laaS VM depends on the VM SKU. 


m Temporary disks can be used for short-term storage. Data on a temporary disk can be 
lost when Azure performs maintenance events, during unscheduled outages, or if you 
redeploy a VM. When an Azure laaS VM performs a standard reboot, data on the tem- 
porary disk will remain. Important data that needs to be stored should not be located 
ona temporary disk. 


Managed disk snapshots are read-only crash consistent copies of an entire managed disk. 
You can use an existing managed disk snapshot to create a new managed disk. Snapshots can 
be created with the New-AzSnapShot PowerShell cmdlet or the az snapshot create Azure CLI 
command from an Azure Cloud Shell session. 
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NEED MORE REVIEW? MORE ABOUT IAAS VM DISKS 


You can learn more about Azure laaS VM disks at https://docs.microsoft.com/en-us/azure/ 
virtual-machines/faq-for-disks. 


Troubleshoot VM connection issues 


Once an laaS VM is deployed, you need to consider how to allow administrative connections to 
the laaS VM. You'll need to ensure that any network security groups and firewalls between your 
administrative host and the target laaS VM are configured to allow the appropriate adminis- 
trative traffic, though tools such as Just-in-Time VM access and Azure Bastion can automate 
that process. As a general rule, you shouldn't open the Remote Desktop port (TCP port 3389) 
or a remote PowerShell port (HTTP port 5985, HTTPS port 5986) so that any host from any IP 
address on the internet has access. If you must open these ports on a network security group 
applied at the laaS VM's network adapter level, try to limit the scope of any rule to the specific 
public IP address or subnet that you will be initiating the connection from. When troubleshoot- 
ing network connectivity to an Azure laaS VM, start by using the Test Your Connection option 
on the Connect page of the VM's properties in the Azure portal. 


Connecting with an Azure AD Account 


When you deploy an laaS VM, you usually configure a username and password for a local 
Administrator account. If the computer is standalone and not AD DS or Azure AD DS joined, 
you have to decide whether you want to limit access to the accounts that are present that 

you have configured on the laaS VM itself or if you also want to allow local sign-on using Azure 
AD accounts. 


Sign-on using Azure AD is supported for laaS VMs running Windows Server 2019 and Win- 
dows Server 2022. The laaS VMs need to be configured on a virtual network that allows access 
to the following endpoints over TCP port 443: 

m https://enterpriseregistration.windows.net—For device registration 
m http://169.254.169.254—Azure Instance Metadata Service endpoint 
m https://login.microsoftonline.com—For authentication flows 

m https://pas.windows.net—For Azure RBAC flows 

You can enable Azure AD logon for a Windows Server laaS VM when creating the laaS VM 
using the Azure portal or when creating an laaS VM using Azure Cloud Shell. When you do 
this, the AADLoginForWindows extension is enabled on the laaS VM. If you have an existing 
VM Windows Server laaS VM, you can use the following Azure CLI command to install and 
configure the AADLoginForWindows extension (where ResourceGroupName and VMName are 
unique to your deployment): 


Az vm extension set --publisher Microsoft.Azure.ActiveDirectory --name 
AADLoginForWindows --resource-group ResourceGroupName --vm-name VMName 
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Once the laaS VM has the AADLoginForWindows extension configured and enabled, you 
can determine what permissions the Azure AD user account has on the laaS VM by adding 
them to the following Azure roles: 


m Virtual Machine Administrator Login Accounts assigned this role are able to sign on to 
the laaS VM with local Administrator privileges. 


= Virtual Machine User Login Accounts assigned this role are able to sign on to the VM 
with regular user privileges. 


Remote PowerShell 


You can initiate a remote PowerShell session from hosts on the internet. By default, remote 
PowerShell uses TCP port 5985 for HTTP communication and TCP port 5986 for HTTPS connec- 
tion. These ports must be accessible to the host you are making your connection from for the 
connection to be safely established. 


Another option is to run a Cloud Shell session in a browser and perform PowerShell remote 
administration in this manner. Cloud Shell is a browser-based CLI and a lot simpler to use than 
adding the Azure CLI to your local computer. There is a Cloud Shell icon at the top panel of the 
Azure console. 


You can enable remote PowerShell on an Azure laaS Windows VM by performing the 
following steps from Cloud Shell: 


1. Ensure that Cloud Shell has PowerShell enabled by running the pwsh command. 
2. At the PowerShell prompt in Cloud Shell, type the following command to enter local 
Administrator credentials for the Azure laaS Windows VM: 


$cred=get-credential 


3. At the PowerShell prompt in Cloud Shell, type the following command to enable Power- 
Shell remoting on the Windows Server laaS VM, where the VM name is 2022-IO-A and 
the resource group that hosts the VM is 2022-IO-RG: 

Enable-AzVMPSRemoting -Name 2022-I0-A -ResourceGroupName 2022-I0-RG -Protocol 
https -OSType Windows 

4. Once this command has completed executing, you can use the Enter-AzvM cmdlet to 
establish a remote PowerShell session. For example, run this command to connect to the 
laaS VM named 2022-I0-A in resource group 2022-IO-RG: 


Enter-AzVM -name 2022-I0-A -ResourceGroupName 2019-22-RG -Credential $cred 


Azure Bastion 


Azure Bastion allows you to establish an RDP session to a Windows Server laaS VM through a 
standards-compliant browser such as Microsoft Edge or Google Chrome rather than having to 
use a remote desktop client. You can think of Azure Bastion as “jumpbox as a service” because 
it allows access to laaS VMs that do not have a public IP address. Before the release of Azure 
Bastion, the only way to gain access to an laaS VM that didn’t have a public IP address was 
either through a VPN to the virtual network that hosted the VM or by deploying a jumpbox VM 
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with a public IP address, from which you then created a secondary connection to the target 
VM. If you have configured an SSH server on the laaS VM, Bastion also supports creating SSH 
connections to Linux laaS VMs or Windows Server configured with the SSH server service. 


Prior to deploying Azure Bastion, you need to create a special subnet named AzureBastion- 
Subnet on the virtual network that hosts your laaS VMs. Once you deploy Azure Bastion, the 
service will manage the network security group configuration to allow you to successfully make 
connections. 


Just-in-Time VM access 


Rather than have management ports, such as the port used for Remote Desktop Protocol, TCP port 
3389, open to hosts on the internet all the time, Just-in-Time (JIT) VM access allows you to open a 
specific management port for a limited duration of time and only open that port to a small range of 
IP addresses. You only need to use JIT if you require management port access to an Azure laaS VM 
from a host on the internet. If the laaS VM only has a private IP address or you can get by using a 
browser-based RDP session, then Azure Bastion is likely a better option. JIT also allows an organiza- 
tion to log on that has requested access, so you can figure out exactly which member of your team 
was the one who signed in and messed things up, which led to you writing up a report about the ser- 
vice outage. JIT VM access requires that you use the Azure Security Center, although doing so incurs 
an extra monthly cost per laaS VM. Keep that in mind if you are thinking about configuring JIT. 


Windows Admin Center in the Azure portal 


Windows Admin Center (WAC), available in the Azure portal, allows you to manage Windows 
Server laaS VMs. When you deploy Windows Admin Center in the Azure portal, WAC will be 
deployed on each Azure laaS VM that you wish to manage. Once this is done, you can navigate 
directly to an Azure portal blade containing the WAC interface instead of loading Windows 
Admin Center up directly on your administrative workstation or jumpbox server. 


NEED MORE REVIEW? OVERVIEW OF AZURE BASTION 


You can learn more about Azure Bastion at https://docs.microsoft.com/en-us/azure/bastion/ 
bastion-overview. 


ti EXAM TIP 


Remember that the Azure Diagnostics Extensions write data to a storage account and nota 
Log Analytics workspace. 


Skill 5.4: Troubleshoot Active Directory 


Active Directory Domain Services is wonderful when everything works perfectly. When things 
aren't working perfectly, AD DS can be a ball of frustration. Problems with AD DS can be as 
simple as your assistant accidentally deleting a large number of user accounts, to domain 
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controllers not replicating properly, to hybrid authentication not working nearly as effectively 
as it does in the product documentation. 


This section covers how to: 
m Restore objects from AD Recycle Bin 
m Recover Active Directory database using Directory Services Restore Mode 
m Troubleshoot Active Directory replication 
m Recover SYSVOL 
m Troubleshoot hybrid authentication issues 


m Troubleshoot on-premises Active Directory 


Restore objects from AD Recycle Bin 


Active Directory Recycle Bin allows you to restore items that have been deleted from Active 
Directory but that are still present within the database because the tombstone lifetime has not 
been exceeded. Active Directory Recycle Bin requires that the domain functional level be set 
to Windows Server 2008 R2 or higher. You can’t use the Active Directory Recycle Bin to restore 
items that were deleted before you enabled Active Directory Recycle Bin. 

Once it's activated, you can’t deactivate the Active Directory Recycle Bin. There isn't any 
great reason to want to deactivate AD Recycle Bin once it’s activated. You don’t have to use it 
to restore deleted items should you still prefer to go through the authoritative restore process. 


To activate the Active Directory Recycle Bin, perform the following steps: 

1. Open the Active Directory Administrative Center and select the domain that you want 
to enable. 

2. Inthe Tasks pane, select Enable Recycle Bin, as shown in Figure 5-4. 


E Active Directory Administrative Center 
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FIGURE 5-4 Enable Recycle Bin 
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After you have enabled the AD Recycle Bin, you can restore an object from the newly avail- 
able Deleted Objects container. This is, of course, assuming that the object was deleted after 
the Recycle Bin was enabled and assuming that the tombstone lifetime value has not been 
exceeded. To recover the object, select the object in the Deleted Objects container and then 
select Restore or Restore To. Figure 5-5 shows a deleted item being selected that can then 
be restored to its original location. The Restore To option allows you to restore the object to 


another available location, such as another OU. 
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FIGURE 5-5 Deleted Objects container 


NEED MORE REVIEW? RESTORE ACCOUNTS WITH AD RECYCLE BIN 


You can learn more about restoring deleted user accounts at https://docs.microsoft.com/ 
en-us/troubleshoot/windows-server/identity/retore-deleted-accounts-and-groups-in-ad. 


Recover Active Directory database using Directory 
Services Restore Mode 


Directory Services Restore Mode (DSRM) allows you to perform an authoritative restore 

of deleted objects from the AD DS database. You must perform an authoritative restore of 
deleted items because if you don't, the restored item is deleted the next time the AD database 
synchronizes with other domain controllers where the item is marked as deleted. Authoritative 
restores are covered later in this chapter. You configure the Directory Services Restore Mode 
password on the Domain Controller Options page of the Active Directory Domain Services 
Configuration Wizard, as shown in Figure 5-6. Note that even though a computer running 
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Windows Server 2022 is being configured asa domain controller, the makimum forestand 
domain functional levels are Windows Server 2016. This is because there is no Windows Server 
2019 or Windows Server 2022 domain or forest functional level. 


. ~ . TARGET SERVER 
Domain Controller Options sa 


Deployment Configuration 


Select functional level of the new forest and root domain 


F ional level: W TEER = 
DNS Options ‘orest functional level: Windows Server 2016 


Additional Options Domain functional level: Windows Server 2016 Ş 


Paths Specify domain controller capabilities 
Review Options [V] Domain Name System (ONS) server 
Prerequisites Check V| Global Catalog (GC) 

Read only domain controller (RODC) 


Type the Directory Services Restore Mode (OSRM) password 


Password: s..000000 


Confirm password: 


More about domain controller options 


< Previous Next > | Instali | Cancel 


FIGURE 5-6 Configuring Domain Controller Options 


In the event that you forget the DSRM password, which, in theory, should be unique for 
each domain controller in your organization, you can reset it by running ntdsutil.exe from an 
elevated command prompt and entering the following commands at the ntdsuti1.exe prompt, 
at which point you are prompted to enter a new DSRM password: 


set dsrm password 
Reset password on server null 


Tombstone lifetime 


Sometimes an Active Directory account, such as a user account or even an entire OU, is acci- 
dentally or, on occasion, maliciously deleted. Rather than go through the process of re-creating 
the deleted item or items, it’s possible to restore the items. Deleted items are retained within 
the AD DS database for a period of time specified as the tombstone lifetime. You can recover a 
deleted item without having to restore the item from a backup of Active Directory as long as 
the item was deleted in the Tombstone Lifetime window. 
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The default tombstone lifetime for an Active Directory environment at the Windows Server 
2008 forest functional level or higher is 180 days. You can check the value of the tombstone 
lifetime by issuing the following command from an elevated command prompt (replacing 
dc=Contoso,dc=I/nternal with the suffix of your organization's forest root domain): 


Dsquery * "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=Contoso, 
dc=Internal" -scope base -attr tombstonelifetime 


For most organizations the 180-day default is fine, but some administrators might want 
to increase or decrease this value to give them a greater or lesser window for easily restoring 
deleted items. You can change the default tombstone lifetime by performing the following 
steps: 


1. From an elevated command prompt or PowerShell session, type ADSIEdit.msc. 


2. From the Action menu, select Connect to. In the Connection Settings dialog box, 
ensure that Configuration is selected under Select a well known Naming Context, as 
shown in Figure 5-7, and then select OK. 


Connection Settings x 


Name: | Configuration 


Path: | LOAP://mel-de1.contoso.internal/Configuration 
Connection Point 
O Select or type a Distinguished Name or Naming Context: 


@Select a well known Naming Context: 
Configuration Yv 


Computer 
O Select or type a domain or server: (Server | Domain [:port]) 


@ Default (Domain or server that you logged in to) 
Cluse sst-based Encryption 


FIGURE 5-7 Connection settings 


3. Navigate to, and then right-click the CN=Services, CN=Windows NT, CN=Directory 
Service node and select Properties. 


4. Inthe list of attributes, select tombstoneLifetime, as shown in Figure 5-8, and select 
Edit. 


5. Enter the new value, and then select OK twice. 
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CN=Directory Service Properties ? x 
Attribute Editor Security 
Attributes: 
Attribute Value = 
repsFrom not set> 
repsTo <not set> 
revision mot set> 
showinAdvancedVie.. TRUE 
sPNMappings hostsalerter appmomt,cisvc,ciipsrv browser d 
subRefs <not set> 
systemFlags «not set> 
ud <not set> 
uSNChanged 4122 
uSNCreated 4122 
uSNDSALastObjRem... <not set> 
USNinterste snot set> 
uSNLastObiRem anot set> v 
< > 
Edt Biter 
| OK | | Cancel foo Heip 


FIGURE 5-8 Tombstone lifetime 


Authoritative restore 


An authoritative restore is performed when you want the items you are recovering to overwrite 
items that are in the current Active Directory database. If you don't perform an authoritative 
restore, Active Directory assumes that the restored data is simply out of date and overwrites it 
when it is synchronized from another domain controller. If you perform a normal Restore on an 
item that was backed up last Tuesday when it was deleted the following Thursday, the item is 
deleted the next time the Active Directory database is synchronized. You do not need to per- 
form an authoritative restore if you only have one domain controller (DC) in your organization 
because there is no other domain controller that can overwrite the changes. 


Authoritative restore is useful in the following scenarios: 
m You haven't enabled Active Directory Recycle Bin. 


m You have enabled Active Directory Recycle Bin, but the object you want to restore was 
deleted before you enabled Active Directory Recycle Bin. 


m You need to restore items that are older than the tombstone lifetime of the AD DS 
database. 


To perform an authoritative restore, you need to reboot a DC into Directory Services 
Restore Mode. If you want to restore an item that is older than the tombstone lifetime of the 
AD DS database, you also need to restore the AD DS database. You can do this by restoring the 
system state data on the server. You'll likely need to take the DC temporarily off the network 
to perform this operation simply because if you restore a computer with old system state data 
and the DC synchronizes, all the data that you wish to recover will be deleted when the domain 
controller synchronizes. 
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You can configure a server to boot into Directory Services Restore Mode from the System 
Configuration utility. To do this, select Active Directory repair on the Boot tab, as shown in 
Figure 5-9. After you've finished with Directory Services Restore Mode, use the same utility to 
restore normal boot functionality. 


© System Configuration x 


General Boot Services Startup Tools 


Advanced options... Set as default Delete 
Boot options Timeout: 
safe boot (No Gut boot 30 | seconds 
OMrimal C Boot log 
O Alternate shel C Base video 
@ Active Directory repair (D0 boot information [Make all boot settings 
O Network permanent 


[a ese] ER] Cis 


FIGURE 5-9 System Configuration 


To enter Directory Services Restore Mode, you need to enter the Directory Services Restore 
Mode password. 


To perform an authoritative restore, perform the following general steps: 


1. Choose a computer that functions as a Global Catalog server. This DC functions as your 
restore server. 


2. Locate the most recent system state backup that contains the objects that you want to 
restore. 


Restart the restore server in DSRM mode. Enter the DSRM password. 
4. Restore the system state data. 


Use the following command to restore items (where Mercury is the object name, Planets 
is the OU that it is contained in, and contoso.com is the host domain): 


wow 


Ntdsutil “authoritative restore restore object cn=Mercury,ou=Planets, 


dc=contoso,dc=com" q q 

6. Ifan entire OU is deleted, you can use the Restore Subtree option. For example, if you 
deleted the Planets OU and all the accounts that it held in the contoso.com domain, you 
could use the following command to restore it and all the items it contained: 


Ntdsutil "authoritative restore" "restore subtree OU=Planets ,DC=contoso,DC=com" 
qq 


If you need to perform an authoritative restore of SYSVOL, take the AD DS DC offline, 
restore the system state data from backup, and then modify the msDFSR-Options attribute of the 
SYSVOL subscription. You can do this once you enable the Advanced Features setting in Active 
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Directory Users and Computers and navigate to the Domain System Volume item under DFSR- 
LocalSettings in the Domain Controllers container. Once you have performed this step, you can 
reconnect the DC to the network and the restored SYSVOL will overwrite SYSVOL on other AD 

DS domain controllers in the domain. 


Nonauthoritative restore 


When you perform a nonauthoritative restore, you restore a backup of Active Directory that's 
in a good known state. When rebooted, the domain controller contacts replication partners 
and overwrites the contents of the nonauthoritative restore with all updates that have occurred 
to the database since the backup was taken. Nonauthoritative restores are appropriate when 
the Active Directory database on a database has been corrupted and needs to be recovered. 
You don't use a nonauthoritative restore to recover deleted items, since any deleted items that 
are restored when performing the nonauthoritative restore will be overwritten when changes 
replicate from other DCs. 


Performing a full system recovery on a DC functions in a similar way to performing a non- 
authoritative restore. When the recovered DC boots, all changes that have occurred in Active 
Directory since the backup was taken overwrite existing information in the database. 


Active Directory snapshots 


You can use ntdsutil.exe to create snapshots of the Active Directory database. A snapshot is a 
point-in-time copy of the database. You can use tools to examine the contents of the database 
as it existed at that point in time. For example, in the event that user accounts were removed 
from a security group but those user accounts were not deleted, you could see the previous 
membership of that security group by mounting a previous snapshot and examining the group 
properties in the mounted snapshot. 

It is also possible to transfer objects from the snapshot of the Active Directory database 
back into the version currently used with your domain's domain controllers. The AD DS service 
must be running to create a snapshot. 

To create a snapshot, execute the following command: 


Ntdsutil snapshot "Activate Instance NTDS" create quit quit 


Each snapshot is identified by a GUID. You can create a scheduled task to create snapshots 
on a regular basis. You can view a list of all current snapshots on a domain controller by run- 
ning the following command: 


Ntdsutil snapshot "list all" quit quit 


To mount a snapshot, make a note of the GUID of the snapshot that you want to mount and 
then issue the following command: 


Ntdsutil "activate instance ntds" snapshot "mount {GUID}" quit quit 
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When mounting snapshots, you must use the {} braces with the GUID. You can also use the 
snapshot number associated with the GUID when mounting the snapshot with the ntdsuti1 
command. This number is always an odd number. 


When the snapshot mounts, take a note of the path associated with the snapshot. You use 
this path when mounting the snapshot with dsamain. For example, to use dsamain with the 
snapshot mounted as c:\$SNAP_201212291630_VOLUMEc$\, issue this command: 


Dsamain /dbpath 'c:\$SNAP_201212291630_VOLUMEC$\Windows\NTDS\ntds.dit' /ldapport 50000 


You can choose to mount the snapshot using any available TCP port number; 50000 is just 
easy to remember. Leave the PowerShell windows open when performing this action. After the 
snapshot is mounted, you can access it using Active Directory Users and Computers. To do this, 
perform the following steps: 


1. Open Active Directory Users and Computers. 
2. Right-select the root node, and select Change Domain Controller. 


3. Inthe Change Directory Server dialog box, enter the name of the domain controller and 
the port, and select OK. You can then view the contents of the snapshot using Active 
Directory Users and Computers in the same way that you would the contents of the 
current directory. 


You can dismount the snapshot by pressing Ctrl+C to close dsamain and then executing the 
following command to dismount the snapshot: 


Ntdsutil.exe "activate instance ntds" snapshot "unmount {GUID}" quit quit 


Other methods of recovering deleted items 


Although the recommended way of ensuring that deleted Active Directory objects are recov- 
erable is to enable the Active Directory Recycle Bin or to perform an authoritative restore using 
DSRM, you can also use tombstone reanimation to recover a deleted object. Tombstone reani- 
mation involves using the Idp.exe utility to modify the attributes of the deleted object so that 
it no longer has the deleted attribute. Because it may lead to unpredictable results, you should 
use tombstone reanimation only if no backups of the system state data exist and you haven't 
enabled the Active Directory Recycle Bin. 

Although Active Directory snapshots do represent copies of the Active Directory database 
at a particular point in time, you should use mounted snapshots to determine which backup 
contains the items you want to authoritatively restore. It is possible to export objects from 
snapshots and to reimport them into Active Directory using tools such as LDIFDE (LDAP Data 
Interchange Format Data Exchange), but this can lead to unpredictable results. 


NEED MORE REVIEW? DIRECTORY SERVICES RESTORE MODE 


You can learn more about Directory Services Restore Mode at https://docs.microsoft.com/ 
en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/ 
ee410856(v=ws.10). 
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Troubleshoot Active Directory replication 


Replication makes it possible for changes that are made on one AD DS domain controller to 

be replicated to other domain controllers in the domain and, in some cases, to other domain 
controllers in the forest. Rather than replicating the AD DS database in its entirety, the replica- 
tion process is made more efficient by splitting the database into logical partitions. Replica- 
tion occurs at the partition level, with some partitions only replicating to domain controllers 
within the local domain, some partitions replicating only to enrolled domain controllers, and 
some partitions replicating to all domain controllers in the forest. AD DS includes the following 
default partitions: 


= Configuration partition This partition stores forest-wide AD DS structure informa- 
tion, including domain, site, and domain controller location data. The configuration 
partition also holds information about DHCP server authorization and Active Directory 
Certificate Services certificate templates. The configuration partition replicates to all 
domain controllers in the forest. 


= Schema partition The schema partition stores definitions of all objects and attributes 
as well as the rules for creating and manipulating those objects. There is a default set of 
classes and attributes that cannot be changed, but it’s possible to extend the schema 
and add new attributes and classes. Only the domain controller that holds the Schema 
Master FSMO role is able to extend the schema. The schema partition replicates to all 
domain controllers in the forest. 


= Domain partition The domain partition holds information about domain-specific 
objects such as organizational units, domain-related settings, and user, group, and 
computer accounts. A new domain partition is created each time you add a new domain 
to the forest. The domain partition replicates to all domain controllers in a domain. All 
objects in every domain partition are stored in the Global Catalog, but these objects are 
stored only with some, not all, of their attribute values. 


= Application partition Application partitions store application-specific information 
for applications that store information in AD DS. There can be multiple application 
partitions, each of which is used by different applications. You can configure application 
partitions so that they replicate only to some domain controllers in a forest. For exam- 
ple, you can create specific application partitions to be used for DNS replication so that 
DNS zones replicate to some, but not all, domain controllers in the forest. 


Domains running at the Windows Server 2008 and higher functional level support attri- 
bute-level replication. Rather than replicate the entire object when a change is made to an 
attribute on that object, such as when group membership changes for a user account, only 
the attribute that changes is replicated to other domain controllers. Attribute-level replication 
substantially reduces the amount of data that needs to be transmitted when objects stored in 
AD DS are modified. 
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Understanding multimaster replication 


AD DS uses multimaster replication. This means that any writable domain controller is able to 
make modifications of the AD DS database and to have those modifications propagate to the 
other domain controllers in the domain. Domain controllers use pull replication to acquire 
changes from other domain controllers. A domain controller may pull changes after being 
notified by replication partners that changes are available. A domain controller notifies its first 
replication partner that a change has occurred within 15 seconds and additional replication 
partners every 3 seconds after the previous notification. Domain controllers also periodically 
poll replication partners to determine whether changes are available so that those changes 
can be pulled and applied to the local copy of the relevant partition. By default, polling occurs 
once every 60 minutes. You can alter this schedule by editing the properties of the connection 
object in the Active Directory Sites and Services console. 


Knowledge Consistency Checker (KCC) 


The Knowledge Consistency Checker (KCC) runs on each domain controller. The KCC is respon- 
sible for creating and optimizing the replication paths between domain controllers located at 
a specific site. In the event that a domain controller is added or removed from a site, the KCC 
automatically reconfigures the site’s replication topology. The KCC topology organization 
process occurs every 15 minutes by default. Although you can change this value by editing the 
registry, you can also trigger an update using the repadmin command-line tool with the 

KCC switch. 


Store and forward replication 


AD DS supports store and forward replication. For example, say the Canberra and Melbourne 
branch offices are enrolled in a custom application partition. These branch offices aren't con- 
nected to each other, but they are connected to the Sydney head office. In this case, changes 
made to objects stored in the application partition at Canberra can be pulled by the domain 
controller in Sydney. The Melbourne domain controller can then pull those changes from the 
domain controller in Sydney. 


Conflict resolution 


In an environment that supports multimaster replication, it's possible that updates may be 
made to the same object at the same time in two or more different places. Active Directory 
includes sophisticated technologies that minimize the chance that these conflicts will cause 
problems, even when conflicting updates occur in locations that are distant from each other. 

Each domain controller tracks updates by using update sequence numbers (USNs). Each 
time a domain controller updates, either by processing an update performed locally or by pro- 
cessing an update acquired through replication, it increments the USN and associates the new 
value with the update. USNs are unique to each domain controller as each domain controller 
processes a different number of updates to every other domain controller. 
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When this happens, the domain controller that wrote the most recent change, known as the 
last writer, wins. Because each domain controller's clock might not be precisely synchronized 
with every other domain controller's clock, last write isn't simply determined by a comparison 
of time stamps. Similarly, because USNs are unique to each domain controller, a direct com- 
parison of USNs is not made. Instead, the conflict resolution algorithm looks at the attribute 
version number. This is a number that indicates how many times the attribute has changed 
and is calculated using USNs. When the same attribute has been changed on different domain 
controllers, the attribute with the higher attribute version number wins. If the attribute ver- 
sion number is the same, the attribute modification time stamps are compared, with the most 
recent change being deemed authoritative. 


If you add or move an object to a container that was deleted on another domain control- 
ler at the same time, the object is moved to the LostAndFound container. You can view this 
container when you enable the Advanced Features option in the Active Directory Users and 
Computers console. 


RODC replication 


The key difference between an RODC and a writable domain controller is that RODCs aren't 
able to update the Active Directory database and that they only host password information 
for a subset of security principals. When a client in a site that only has RODCs needs to make 

a change to the Active Directory database, that change is forwarded to a writable domain 
controller in another site. When considering replication, remember that all RODC-related 
replication is incoming and that other domain controllers do not pull updates from the AD DS 
database hosted on an RODC. 


RODCs use the usual replication schedule to pull updates from writable domain controllers 
except in certain cases. RODCs perform inbound replication using a replicate-single-object 
(RSO) operation. These cases include: 


m The password of a user whose account password is stored on the RODC is changed. 


m A DNS record update occurs where the DNS client performing the update attempts to 
use the RODC to process the update and is then redirected by the RODC to a writable 
DC that hosts the appropriate Active Directory—integrated DNS zone. 


= Client attributes, including client name, DnsHostName, OsName, OsVersionInfo, 
supported encryption types, and LastLlogonTimeStamp, are updated. 


These updates occur outside the usual replication schedule as they involve objects and 
attributes that are important to security. An example is when a user at a site that uses RODCs 
calls the service desk to have their password reset. The service desk staff member, located in 
another site, resets the password using a writable domain controller. If a special RSO operation 
isn't performed, it is necessary to wait for the change to replicate to the site before the user is 
able to sign on with the newly reset password. 
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Monitor and manage replication 


You can use the Active Directory Sites and Services console to trigger replication. You can 
trigger replication on a specific domain controller by right-clicking the connection object and 
selecting Replicate Now. When you do this, the domain controller replicates with all of its 
replication partners. 

You can also monitor replication as it occurs using DirectoryServices performance coun- 
ters in Performance Monitor. Through Performance Monitor, you can view inbound and 
outbound replication, including the number of inbound objects in the queue and pending 
synchronizations. 


Repadmin 


You can use the repadmin command-line tool to manage and monitor replication. This tool is 
especially useful at enabling you to diagnose where there are problems in a replication topol- 
ogy. For example, you can use repadmin with the following switches: 


= replsummary Generates information showing when replication between partners has 
failed. You can also use this switch to view information about the largest intermission 
between replication events. 


m showrepl Views specific inbound replication traffic, including objects that were repli- 
cated and the date stamps associated with that traffic. 


= prp Determines which user account passwords are being stored on an RODC. 
m kcc Forces the KCC to recalculate a domain controller's inbound replication topology. 


m queue Enables you to display inbound replication requests that a domain controller 
must make to reach a state of convergence with source replication partners. 


= replicate Forces replication of a specific directory partition to a specific destination 
domain controller. 


= replsingleobj Use this switch when you need to replicate a single object between two 
domain controllers. 


= rodcpwdrepl Enables you to populate RODCs with the passwords of specific users. 


m showutdvec Displays the highest USN value recorded for committed replication 
operations on a specific DC. 


NEED MORE REVIEW? TROUBLESHOOTING AD DS REPLICATION 


You can learn more about troubleshooting AD DS replication at https://docs.microsoft.com/ 
en-us/windows-server/identity/ad-ds/manage/troubleshoot/troubleshooting-active- 
directory-replication-problems. 
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Recover SYSVOL 


SYSVOL (system volume) is a special set of folders on each AD DS domain controller that store 
group policy templates, junction points, and startup and logon scripts. The default location on 
each AD DS domain controller is the %SYSTEMROOT%\SYSVOL\sysvol folder. When in a health 
state, SYSVOL replicates to each domain controller in an AD DS domain. 


In some cases when replication is failing and you are unable to successfully perform main- 
tenance tasks on SYSVOL, you may choose to rebuild SYSVOL. You should only rebuild SYSVOL 
in the event that the other domain controllers in a domain have a healthy and functioning 
SYSVOL. 


To rebuild SYSVOL, perform the following general steps: 

1. Identify a replication partner of the AD DS DC that has SYSVOL in a healthy state. 
Restart the impacted AD DS DC in DSRM. 

Stop the DFS Replication Service and Netlogon Service on the impacted AD DS DC. 
Delete the SYSVOL folder on the AD DS DC. 

Create a copy of the SYSVOL folder on the healthy replication partner. 


Au wn 


In the copy of the SYSVOL folder on the replication partner, update the path for <JUNC- 
TION> from the healthy DC's FQDN to the FQDN of the DC you are repairing. 


7. Use robocopy to copy the duplicate SYSVOL folder off the healthy replication partner 
to the location on the impacted AD DS DC that you removed the problematic SYSVOL 
folder from in Step 4. 


8. Restart the AD DS in normal mode and determine whether the problems with SYSVOL 
have been resolved. 


NEED MORE REVIEW? RECOVER SYSVOL 


You can learn more about recovering SYSVOL at https://docs.microsoft.com/en-us/ 
previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc816596(v=ws.10). 


Troubleshoot hybrid authentication issues 

The process of being able to use a single identity for on-premises and cloud resources is rarely 
straightforward. The first step in troubleshooting hybrid authentication involves diagnosing 
where the problem might occur. Is it an issue of identity synchronization? Is it an issue related 
to password hashes or pass-through authentication? Is the cause a problem related to AAD 
single sign-on? 


Troubleshoot identity synchronization 


When you configure Azure AD Connect to synchronize identities from an on-premises instance 
of AD DS with Azure AD, a Synchronization Errors report becomes available with the Azure 
portal. Errors that may be displayed in this report include the following: 
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m Data mismatch errors Azure AD does not allow two or more objects to have 
the same value for certain attributes, including proxyAddress, userPrincipalName, 
onPremesisSecurityldentifier and objectID. Identify which two objects are in conflict 
and determine which one should be present in Azure AD. This may involve changing the 
attribute in one on-premises object or deleting that object. 


m Object type mismatch Occasionally two objects of different type (user, group, or 
contact) have the same attribute values. An example is mail-enabled security groups 
sometimes being configured with the same proxyAddress attribute as a user account. 
Determine which objects have the duplicate attribute and remediate by changing one 
of the attribute values. 


= Data validation errors This error can occur when the userPrincipalName attribute 
value has invalid or unsupported characters or doesn't follow the appropriate format. 


= Access violation errors Occurs when Azure AD Connect attempts to update a cloud- 
only object. 


m Large objected errors Attribute value exceeds size limit or length limit. Often occurs 
with the userCertificate, userSMIMECertificate, thumbnailPhoto, and proxyAddresses 
attributes. 


NEED MORE REVIEW? IDENTITY SYNCHRONIZATION 


You can learn more about troubleshooting identity synchronization at https:// 
docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sync-errors. 


Troubleshoot password hash synchronization 


Azure AD Connect includes several troubleshooting-related PowerShell scripts. To allow these 
scripts to run, open a PowerShell session on the server on which Azure AD Connect is installed 
and ensure that the execution policy is set to RemoteSigned using the following command: 


Set-ExecutionPolicy RemoteSigned 


You can then start the Azure AD Connect wizard and select Troubleshoot from the Addi- 
tional Tasks page. This will open a troubleshooting menu in PowerShell. From this menu you 
can then select Troubleshoot password hash synchronization. The tests in the submenu 
include troubleshooting the issue where no passwords are synchronized or when one specific 
object's password is not synchronized. 


The Password hash synchronization does not work at all task performs the following 
tests: 


m Verifies that password hash synchronization is enabled for the Azure AD tenant 


m Verifies that the Azure AD Connect server is not in staging mode 
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m Verifies that the on-premises AD DS connector has the password hash synchronization 
feature enabled 


= Searches the Windows Application Event logs for password hash synchronization 
heartbeat activity 


m Validates that the AD DS accounts used by the connector have the appropriate 
username, password, and permissions 


If you select the Password is not synchronized for a specific user account option, the 
following checks are performed: 


m Checks the state of the Active Directory object in the Active Directory connector space, 
Metaverse, and Azure AD connector space 


m Verifies that there are synchronization rules with password hash synchronization 
enabled and applied to the Active Directory object 


m Determines the last attempt to synchronize the password for the object 


Azure AD Connect will not synchronize temporary passwords to Azure AD. If an account has 
the Change password at next logon option set, it will be necessary for the user to change 
their password before hash synchronization can occur to replicate a hash of the password 
to Azure. 


NEED MORE REVIEW? TROUBLESHOOT PASSWORD HASH SYNCHRONIZATION 


You can learn more about troubleshooting hybrid password hash synchronization at 
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-password- 
hash-synchronization. 


Troubleshoot pass-through authentication 

The first step in troubleshooting pass-through authentication is checking the status of the 
feature in the Azure AD Connect blade of the Azure AD admin center. Pass-through authenti- 
cation provides the following user sign-in error messages that can help troubleshooting: 

m Unable to connect to Active Directory Ensure that agent servers are members of 
the same AD forest as the users whose passwords need to be validated. Ensure users are 
able to connect to Active Directory. (AADSTS80001) 

= A timeout occurred connecting to Active Directory Verify that Active Directory is 
available and is responding to requests from the agents. (AADSTS8002) 


= Validation encountered unpredictable WebException A transient error. Retry the 
request. If it continues to fail, contact support. (AADSTS80005) 


= An error occurred communicating with Active Directory Check the agent 
logs for more information and verify that Active Directory is operating as expected. 
(AADSTS80007) 
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Users may also getan invalid username/password error in the event that their on-premises 
UserPrincipalName (UPN) differs from their Azure UPN. If your tenancy has an Azure AD Pre- 
mium license, you can view the sign-in activity report in Azure AD to diagnose pass-through 
authentication issues. The sign-in activity report will provide the following sign-in failure 
telemetry: 


User's Active Directory password has expired Resolve by resetting the user's 
password in your on-premises AD DS. 


No Authentication Agent available Resolve by installing and registering an Authen- 
tication Agent for pass-through authentication. 


Authentication Agent's password validation request timed out Check if the com- 
puter that hosts the Authentication Agent can communicate with on-premises AD DS. 


Invalid response received by Authentication Agent If this occurs for multiple 
users, check Active Directory Domain Services replication. 

Authentication Agent unable to connect to Active Directory Check if the com- 
puter that hosts the Authentication Agent can communicate with on-premises AD DS. 
Authentication Agent unable to decrypt password Uninstall the existing Authenti- 
cation Agent and install and register a new Authentication Agent. 


Authentication Agent unable to retrieve decryption key Uninstall the existing 
Authentication Agent and install and register a new Authentication Agent. 


You also need to ensure that the Authentication Agent or the computer that hosts Azure AD 
Connect is able to communicate both with on-premises AD DS as well as Azure. Communica- 
tion with Azure can occur either directly or through a proxy. 


NEED MORE REVIEW? TROUBLESHOOT PASS-THROUGH AUTHENTICATION 


You can learn more about troubleshooting hybrid pass-through authentication at 


https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-pass- 


through-authentication. 


Azure Active Directory Seamless Single Sign-On 


You can check whether Seamless SSO is enabled for an Azure AD tenant on the Azure AD 
Connect blade of Azure Active Directory admin center in the Azure portal. If the Azure AD 
tenancy has an Azure AD Premium license associated with it, the sign-in activity report is pres- 
ent in Azure Active Directory admin center that can provide you with sign-in failure reasons. 
Problems can occur with Azure AD SSO under the following circumstances: 


If Seamless SSO has been disabled and then reenabled on a tenancy as part of a trouble- 
shooting process, users may not be able to perform SSO for up to 10 hours due to their 
existing Kerberos tickets remaining valid. 
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m Users that are members of too many AD DS groups are unable to perform SSO because 
their Kerberos tickets become too large to process. You may need to reduce the number 
of groups a user is a member of to successfully perform SSO. Sign-in error code 81001 
will list "user's Kerberos ticket too large.” 


m Seamless SSO isn’t supported if more than 30 AD DS forests are being synchronized with 
a single Azure AD tenant. 


m If forest trust relationships exist for on-premises AD DS forests, enabling SSO in one 
forest enables SSO in all forests. 


= The policy that enables Seamless SSO has a 25,600-character limit. That limit applies to 
everything included in the policy including forest names. Extremely long forest names 
with multiple forests can impact the policy limit. 


m Ifthe error code 81010 reads that “Seamless SSO failed because user's Kerberos ticket 
has expired or is invalid,” the user will need to sign on from a domain-joined device on 
the on-premises network. You can use the klist purge command to remove existing 
tickets and to retry logon. 


m Ensure that the device's time is synchronized with Active Directory and that the com- 
puter that hosts the PDC emulator role has time synchronized with an accurate external 
time source. 


m Use the klist command from a command prompt to verify that tickets issued for the 
AZUREADSSOACC computer account are present. 


NEED MORE REVIEW? TROUBLESHOOT AZURE ACTIVE DIRECTORY SEAMLESS SINGLE 
SIGN-ON 


You can learn more about troubleshooting Azure Active Directory Seamless Single Sign-On at 
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sso. 


Troubleshoot on-premises Active Directory 


A common cause of AD DS problems is DNS. AD DS domain controllers and clients uses DNS 
to locate resources in AD DS. One of the simplest and most effective troubleshooting steps 
you can take when trying to resolve problems with AD DS is to check which DNS servers have 
been configured for AD DS domain controllers and the servers and clients that need to interact 
with them. Other troubleshooting strategies covered in this section include DCDiag, database 
optimization, and performing metadata cleanup. 


DCDiag 


DCDiag.exe is a tool that is built into Windows Server that you can use from an elevated com- 
mand prompt to check the health of a specific domain controller. You can run it locally on an 
AD DS domain controller or run it remotely using the /s parameter against a remote domain 
controller in the same forest. You can also use it with the /e parameter to check all servers in 
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the enterprise. The /c parameter runs all tests except the DCPromo and RegisterInDNS tests. 
You can use the dcdiag command with the /fix parameter to fix Service Principal Names (SPNs) 
related to the Machine Account object of a domain controller. 


DCDiag checks include the following, which can be run separately or all at once: 


DNS Tests including network connectivity, DNS client configuration, domain con- 
troller registration in DNS, service availability, zone configuration, zone delegation, 
dynamic update, CNAME, and SRV record checks. 


Connectivity Determines if domain controllers present in AD DS can be contacted. 
Replication checks Determine if any replication errors have occurred. 


NCSecDesc Verify that security descriptors on naming context heads are configured 
appropriately for replication. 


NetLogons Determine if permissions are configured appropriately for replication. 
Advertising Checks to verify that each DC advertises the roles it is able to perform. 
KnowsOfRoleHolders Checks that each DC can contact each FSMO role holder. 
Intersite Determines if failovers have occurred that block intersite replication. 


FSMOCheck Checks if an FSMO role holder can contact the Kerberos Key Distribution 
Center server, time server, and Global Catalog server. 


RidManager Determines whether the relative identifier master FSMO role is acces- 
sible and functioning correctly. 


MachineAccount Determines whether the DC's computer account is properly regis- 
tered and services are advertised. Can repair if this account is missing or if account flags 
are incorrect. 


Services Determines if all necessary AD DS DC services are running. 


OutboundSecureChannels Checks that secure channels exist to all other domain 
controllers in the forest. 


ObjectsReplicated Verifies that the Machine Account and the Directory System 
Agent objects have replicated. 


KCCEvent Checks that the Knowledge Consistency Checker completes without error. 
Systemlog Checks the systemlog for critical errors. 
CheckSDRefDom Verifies security descriptors for application directory partitions. 


VerifyReplicas Checks that application directory partitions are properly replicating to 
designated replicas. 


CrossRefValidation Verifies integrity of cross-references. 


Topology Ensures that the KCC has a fully connected topology for all domain 
controllers. 


CutOffServers Determines if any AD DS DC is not receiving replication because repli- 
cation partners are nonresponsive. 


Sysvolcheck Checks SYSVOL health. 
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NEED MORE REVIEW? DCDIAG 


You can learn more about DCDiag at https://docs.microsoft.com/en-us/previous-versions/ 
windows/it-pro/windows-server-2012-R2-and-2012/cc731968(v=ws.11). 


Active Directory database optimization 


There are several steps you can take to optimize your Active Directory database, including 
defragmenting the database, performing a file integrity check, and performing a semantic 
integrity check. 


When you defragment the Active Directory database, a new copy of the database file, Ntds. 
dit, is created. You can defragment the Active Directory database or perform other operations 
only if the database is offline. You can take the Active Directory database offline by stopping 
the AD DS service, which you can do from the Update Services console or by issuing the follow- 
ing command from an elevated PowerShell prompt: 


Stop-Service NTDS -force 


You use the ntdsutil.exe utility to perform the fragmentation using the following command: 


ntdsutil.exe "activate instance ntds" files “compact to c:\\" quit quit 


After the defragmentation has completed, copy the defragmented database over the origi- 
nal located in C:\\windows\NTDS\ntds.dit and delete all log files in the C:\windows\NTDS folder. 


You can check the integrity of the file that stores the database using ntdsutil.exe by issuing 
the following command from an elevated prompt when the AD DS service is stopped: 


ntdsutil.exe “activate instance ntds" files integrity quit quit 


To verify that the AD DS database is internally consistent, you can run a semantic consis- 
tency check. The semantic check can also repair the database if problems are detected. You can 
perform a semantic check using ntdsutil.exe by issuing the following command: 


wou mou wou 


ntdsutil.exe “activate instance ntds verbose on" "go 


fixup" quit quit 


semantic database analysis 


Active Directory metadata cleanup 


The graceful way to remove a domain controller is to run the Active Directory Domain Services 
Configuration Wizard to remove AD DS. You can also remove the domain controller gracefully 
by using the Uninstal1-ADDSDomainController cmdlet. When you do this, the domain controller 
is removed, all references to the domain controller in Active Directory are also removed, and 
any FSMO roles that the domain controller hosted are transferred to other DCs in the domain. 


Active Directory metadata cleanup is necessary if a domain controller has been forcibly 
removed from Active Directory. Here's an example: an existing domain controller catches 
fire or is accidentally thrown out of a window by a systems administrator having a bad day. 
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When this happens, references to the domain controller within Active Directory remain. These 
references, especially if the domain controller hosted FSMO roles, can cause problems if not 
removed. Metadata cleanup is the process of removing these references. 

If you use the Active Directory Users and Computers or Active Directory Sites and Services 
console to delete the computer account of a domain controller, the metadata associated with 
the domain controller are cleaned up. The console will prompt you when you try to delete the 
account of a domain controller that can't be contacted. You confirm that you can’t contact the 
domain controller. When you do this, metadata cleanup occurs automatically. 

To remove server metadata using ntdsutil, issue the following command, where <Server- 
Nameb> is the distinguished name of the domain controller whose metadata you want to 
remove from Active Directory: 


Ntdsutil "metadata cleanup" "remove selected server <ServerName>" 


NEED MORE REVIEW? TROUBLESHOOT AD DS 


You can learn more about troubleshooting AD DS at https://docs.microsoft.com/en-us/ 
windows-server/identity/ad-ds/deploy/troubleshooting-domain-controller-deployment. 


EXAM TIP 


Remember that you can view how Active Directory Domain Services looked at a previous 
point in time, including what the group memberships were, by mounting a previous snap- 
shot and then connecting to that snapshot using Active Directory Users and Computers. 


Chapter summary 


m You can monitor Windows Server performance using Performance Monitor. This allows 
you to view point-in-time information for configured performance counters. 


m Data collector sets allow you to collect performance counters and telemetry over time. 


m System Insights allows you to use machine learning to predict when CPU, storage, or 
network resources on a server might reach capacity. 


m Azure Monitor lets you collect performance counters to Azure and create alerts. You 
need the Log Analytics workspace ID and key to install the agent. 


m You can use the Network Watcher to troubleshoot hybrid connections. 


m When troubleshooting VM boot problems, you can create a copy of the OS boot disk 
and use a recovery VM to perform diagnosis and repair before replacing the original OS 
disk with the repaired disk. 


m When troubleshooting disk encryption issues ensure that there is connectivity between 
the laaS VM and Azure Key Vault. 
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m You can only restore objects from AD Recycle Bin after it has been enabled. You can use 
Directory Services Restore mode to restore deleted items from a backup. 


m You can use repadmin.exe to troubleshoot Active Directory replication. 


m You can use dcdiag.exe to troubleshoot on-premises AD DS domain controllers. 


Thought experiment 


In this thought experiment, demonstrate your skills and knowledge of the topics covered in this 
chapter. You can find answers to this thought experiment in the next section. 


You are in the process of examining an AD DS deployment that is reaching 20 years of age. 
In the last 20 years, the site topology has changed dramatically as new branch offices and 
sites have been added and removed, and domain controllers have been deployed, upgraded, 
demoted, and have sometimes suffered catastrophic hardware failure. As part of your process, 
you want to examine the health of each domain controller, determine how replication is func- 
tioning, and perform maintenance operations on the Active Directory databases. With this in 
mind, answer the following questions: 


1. What command-line utility can you use to check the health of an AD DS domain controller 
to ensure that all appropriate AD DS DNS records are registered for each AD DS DC? 


2. What command-line utility can you use to determine when replication last occurred 
between AD DS DC replication partners? 


3. What tool procedure do you use to defragment the AD DS database and perform a 
semantic integrity check? 


Thought experiment answers 


This section contains the solution to the thought experiment. Each answer explains why the 
answer choice is correct. 


1. You use dcdiag.exe to assess the health of an AD DS domain controller. You can also use 
this utility to determine if all relevant DNS records related to the AD DS DC are present. 

2. You can use repadmin.exe with the rep1summary switch to determine when replication 
last occurred between specific replication partners. 

3. You stop NTDS on the domain controller with the Stop-Service PowerShell cmdlet. You 
use ntdsutil.exe to mount and defragment the AD DS database file ntds.dit. You can 
also use ntdsutil.exe to perform a semantic integrity check on the file. You then copy 
the defragmented and checked file back to the original C:\\windows\NTDS location after 
removing the original and restart NTDS on the AD DS DC. 
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Install-ADServiceAccount cmdlet, 20 
installing 
Azure Monitor agents, 206 
failover cluster, 89 
MABS (Microsoft Azure Backup Server), 125 
WSMT (Windows Server Migration Tools), 174 
Install-WindowsFeature cmdlet, 89, 95, 174 
IPsec, WDFAS configuration, 71-72 


J-K 


JIT (just-in-time) access, 58, 229 


KCC (Knowledge Consistency Checker), 239 
KRBTGT account password, 40-41 


L 


LAPS (Local Administrator Password 
Solution), 32-34 
least privilege, 50 
load balancing 
network, 100, 102-103 
cluster operation modes, 103-104 
filtering and affinity, 105 
managing cluster nodes, 104-105 
port rules, 104-105 
prerequisites, 103 
VM, 101-102 
Local Group Policy Object tool, 17 
lockout policies, 29, 31 
Log Analytics workspace, 56 


LRS (locally redundant storage), 122 
LSA (Local Security Authority) protection, 10 


M 


MABS (Microsoft Azure Backup Server), 124-125 
backing up Hyper-V VMs, 126 
installing, 125 
recovering data, 126 
managing, Windows Defender, 8 
MARS (Microsoft Azure Recovery Services) agent, 
131-132 
backing up data, 134 
deploying, 132-134 
minimum retention limits, 132 
restore from, 134-135 
Microsoft Defender for Cloud, 57 
tools 
adaptive application controls, 59 
adaptive network hardening, 60 
Azure security baselines, 58 
file integrity monitoring, 59 
JIT (just-in-time) access, 58 
threat and vulnerability management, 58 
Microsoft Sentinel, 56-57 
migration, 157 
AD DS infrastructure to Windows Server 2022 
AD DS, 188-189 
demote existing domain controllers, 192 
DNS migration, 191-192 
migrate AD DS objects using ADMT, 193-194 
migrate to a new AD forest, 194-195 
transfer FSMO role holder, 190-191 
upgrade an existing forest, 189 
IIS workloads to Azure Web Apps, 184-185 
App Service Hybrid Connections, 185 
Azure AD Application Proxy, 186 
IIS workloads to containers, 186-188 
on-premises servers to Azure, 166-167. See also 
Azure Migrate 


migrate physical workloads to Azure laaS, 171-172 


migrate VM workloads to Azure laaS, 169-171 
using Azure Migrate, 167-169 
on-premises storage to on-premises servers or 
Azure, 157 
Azure Data Box, 166 
Azure file shares, 164-166 
copy data, 161-162 
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cut over to a new server using Storage Migration 
Service, 162-164 
inventory source servers, 160 
Storage Migration Service Orchestrator, 159 
transfer data and shares, 158-159 
use Storage Migration Service to migrate to 
Azure virtual machines, 164 
from previous versions to Windows 2022, 172-173 
DHCP (Dynamic Host Configuration Protocol), 
179-182 
IIS (Internet Information Services), 174-175 
migrate Hyper-V hosts, 175-178 
print servers, 182-183 
RDS (Remote Desktop Services) host servers, 
178-179 
mirror-accelerated parity, S2D (Storage Spaces Direct), 112 
monitoring 
replication, 241 
RSVs (Azure Recovery Services vaults), 122-123 
servers, 201-202 
using Azure Monitor 
agents, 206 
agents, installing, 206 
alerts, 208 
Azure Diagnostics extension, 208-209 
data collection rules, 207 
network requirements, 207 
using data collector sets, 200-201 
using Event Viewer, 202 
event log filters, 202-203 
event log views, 203-204 
event subscriptions, 204-205 
event-driven tasks, 205-206 
using Performance Monitor, 198-199 
using System Insights, 202 
using VM Insights, 209-210 
Move-ClusterGroup cmdlet, 109 
Move-ClusterResource cmdlet, 109 
Move-ClustersharedVolume cmdlet, 109 
Move-ClusterVirtualMachineRole cmdlet, 109 
multimaster replication, 239 


N 


nested resiliency, S2D (Storage Spaces Direct), 112 
network adapters, failover cluster configuration, 95 
network load balancing, 100 

Network Watcher, 210-211 


policy(ies) 


New-ADServiceAccount cmdlet, 19 
New-Cluster cmdlet, 91, 112 
NLB (network load balancing), 102-103 
cluster operation modes, 103-104 
filtering and affinity, 105 
managing cluster nodes, 104-105 
port rules, 104-105 
prerequisites, 103 
nonauthoritative restore, 236 
nonexpiring passwords, 30-31 
ntdsutil.exe, 248 
NTLM, disabling, 17-18 


O 


OU (organizational unit), 89 

Overview dashboard, RSV (Azure Recovery Services 
vault), 122 

overwriting, VMs, 138 


P 


Package Inspector, 6-7 
pass-through authentication, troubleshooting, 
244-245 
password hash synchronization, troubleshooting, 
243-244 
password policy(ies), 24, 25. See also account 
management; LAPS (Local 
Administrator Password Solution) 
account lockout settings, 29 
Azure AD Password Protection, 34 
balanced, 28 
delegating password setting permissions, 25-26 
determining password settings, 28 
fine-grained, 26-27 
KRBTGT account password, 40-41 
locked-out accounts, 31 
nonexpiring passwords, 30-31 
password replication, 36-37 
PSO (Password Settings Object), 27-28 
PAWs (Privileged Access Workstations), 43-44 
performance, troubleshooting on VMs, 224 
Performance Monitor, 198, 199 
point-to-site VPN, troubleshooting, 212-213 
Policy Analyzer tool, 15-17 
policy(ies) 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


257 


policy(ies) 
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audit, 21 
auditpol.exe, 22-23 
expression-based, 21-22 
file and folder, 22 
settings, 21 
authentication, 41-42 
backup, 127-128 
password, 24, 25 
account lockout settings, 29 
Azure AD Password Protection, 34 
balanced, 28 
delegating password setting permissions, 25-26 
determining password settings, 28 
fine-grained, 26-27 
KRBTGT account, 40-41 
locked-out accounts, 31 
nonexpiring, 30-31 
PSO (Password Settings Object), 27-28 
site recovery, 146-147 
Turn on Virtualization Based Security, 7, 10 
user rights, 12-15 
WSUS (Windows Server Update Services), 63 


port rules, NLB (network load balancing), 104-105 
PowerShell 


Azure Migrate deployment script, 169 

cmdlets 
Add-ClusterNode, 107 
Add-ClusterScaleOutFileServerRole, 97 
Add-ClusterScaleoutFileServerRole, 99 
Add-ClusterVMMonitoredltem, 98 
Add-MpPreference, 5, 8 
BitLocker management, 81 
Get-AZVM, 225 
Get-ClusterNodeSupportedVersion, 108 
Get-DnsServerStatistics, 218 
Get-MpComputerStatus, 8 
Get-MpPreference, 8 
Get-MpThreat, 8 
Get-MpThreatCatalog, 8 
Get-MpThreatDetection, 8 
Get-ProcessMitigation, 4 
Install-ADServiceAccount, 20 
Install-WindowsFeature, 89, 95, 174 
Move-ClusterGroup, 109 
Move-ClusterResource, 109 
Move-ClustersharedVolume, 109 
Move-ClusterVirtualMachineRole, 109 
New-ADServiceAccount, 19 
New-Cluster, 91, 112 


Remove-MpPreference, 5, 8 
Remove-MPThreat, 8 
Set-ADServiceAccount, 20 
Set-ClusterOwnerNode, 96 
Set-ExecutionPolicy, 243 
Set-MpPreference, 4-5, 8 
Set-ProcessMitigation, 4 
Start-MpScan, 8 
Start-MpWDOScan, 8 
start-service msdepsvc, 175 
Test-Cluster, 90, 112 
Uninstall-ADDSDomainController, 248 
Uninstall-WindowsFeature, 8 
Update-ClusterFunctionalLevel, 108 
Update-MpSignature, 8 
remote, 228 

print servers, migrating to Windows Server 2022, 

182-183 

Protected Users group, 9, 34-35 

PSO (Password Settings Object), 27-28 


Q-R 
quorum 

dynamic, 91-92 

failover cluster configuration, 93-94 
RBAC (role-based access control), 50-51 


RDS (Remote Desktop Services), migrating to Windows 


Server 2022, 178-179 
recovering, Azure File shares, 124 
recovery plans, 144. See also backup and recovery 
remote PowerShell, 228 
Remove-MpPreference cmdlet, 5, 8 
Remove-MPThreat cmdlet, 8 
repadmin, 241 
repairing laaS VMs, 223 
replication 
monitoring, 241 
multimaster, 239 
RODC, 240-241 
store and forward, 239 
troubleshooting, 238 
requirements 
failover clustering, 89 
Windows Defender Credential Guard, 9-10 
resetting passwords 
Azure AD self-service password reset, 53-55 
delegating password setting permissions, 25-26 
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snapshots 


resiliency types, S2D (Storage Spaces Direct), 113 account management, 44-45 
RODCs (read-only domain controllers), 36 Controlled Folder Access, 4-5 
decommissioning, 38 DCs (domain controllers), 38-40 
local administrators, 38 configure authentication policy silos, 41-42 
partial attribute set, 37-38 KRBTGT account password, 40-41 
password replication, 36-37 restrict scheduled tasks, 40 
replication, 240-241 restricting access, 43-44 
RSVs (Azure Recovery Services vaults) exploit protection, 2 
alerts, 123 application-level settings, 3-4 
CRR (Cross-Region Restore), 122 system-level settings, 3 
deleting, 123 hardening, 1 
GRS (geo-redundant storage), 122 Protected Users group, 34-35 
LRS (locally redundant storage), 122 RODCs (read-only domain controllers), 36 
monitoring, 122-123 decommissioning, 38 
Overview dashboard, 122 local administrators, 38 
ZRS (zone-redundant storage), 122 partial attribute set, 37-38 
rules password replication, 36-37 
automatic approval, 64-65 WDAC (Windows Defender Application Control), 5-6 
Azure Monitor, 208 Audit mode, 6-7 
connection security, 72-73 features, 6 
authentication exemptions, 74 Turn on Virtualization Based Security policy, 7 
tunnel, 73-74 Virtual Secure Mode, enabling, 6 
data collection, 207 Windows Defender Credential Guard, 9 
domain isolation, 75-76 Enabled With UEFI Lock option, 10 
inbound, 69-70 features and solutions, 9 
outbound, 70-71 LSA (Local Security Authority) protection, 10 
port, 104-105 Protected Users group, 9 
run profile, 107 requirements, 9-10 


restrictions, 9 
Turn on Virtualization Based Security policy, 10 


S Server Migration tool, 168 
service accounts, 18-20 
S2D (Storage Spaces Direct), 110-111 Set-ADServiceAccount cmdlet, 20 
cache drives, 113 Set-ClusterOwnerNode cmdlet, 96 
DAX (direct access), 114 Set-ExecutionPolicy cmdlet, 243 
deployment options, 111-112 Set-MpPreference cmdlet, 4-5, 8 
mirror-accelerated parity, 112 Set-ProcessMitigation cmdlet, 4 
nested resiliency, 112 shadow copies, 135-136 
failover clustering, 112-113 SIEM (security information and event 
upgrading, 114-115 management), 56 
networking, 115-116 silo claim, 42 
properties, 111 site recovery 
resiliency types, 113 for Azure VMs, 144-145 
Schema Admins group, 47 networking, 145-146 
SCT (Security Compliance Toolkit), 15 policy, 146-147 
Local Group Policy Object tool, 17 for on-premises VMs, 142-144 
Policy Analyzer tool, 15-17 site-to-site VPN, troubleshooting, 213 
Seamless SSO, troubleshooting, 245-246 smart paging, 150 
security. See also WDFAS (Windows Defender Firewall SmartScreen, 11 
with Advanced Security) snapshots, 236-237 
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SOAR (security orchestration, automation, and response) 


SOAR (security orchestration, automation, 
and response), 56 
split-brain scenarios, 92 
Start-MpScan cmdlet, 8 
Start-MpWDOScan cmdlet, 8 
start-service msdepsvc cmdlet, 175 
storage. See also backup and recovery 
Azure Data Box, 166 
configuring for failover clustering, 93 
laaS virtual machines 
troubleshooting, 226 
RSVs (Azure Recovery Services vaults), 121-122 
alerts, 123 
deleting, 123 
GRS (geo-redundant storage), 122 
LRS (locally redundant storage), 122 
ZRS (zone-redundant storage), 122 
tiering, 151-152 
Storage Migration Service, 158-159 
cutover phase, 162-164 
migrate to Azure virtual machines, 164 
Storage Migration Service Orchestrator, 159 
Storage QoS, 151 
store and forward replication, 239 
stretch clusters, 92 
System Insights, 202 


T 


Test-Cluster cmdlet, 90, 112 
threat and vulnerability management, 58 
tombstone lifetime, 232-234 
tool(s). See also WSMT (Windows Server Migration Tools) 
Active Directory Migration, 193-194 
Azure Migrate 
Discovery and Assessment, 167-168 
Server Migration, 168 
Credential Guard Readiness, 7 
DCDiag, 246-247 
LAPS (Local Administrator Password 
Solution), 32-34 
Local Group Policy Object, 17 
Microsoft Defender for Cloud 
adaptive application controls, 59 
adaptive network hardening, 60 
Azure security baselines, 58 
file integrity monitoring, 59 
JIT (just-in-time) access, 58 
threat and vulnerability management, 58 


Network Watcher, 210-211 
Policy Analyzer, 15-17 
repadmin, 241 
vssadmin, 135-136 
Web Deploy, 175 
troubleshooting 
AD DS (Active Directory Domain Services) 
DNS (Domain Naming System), 246-247 
KCC (Knowledge Consistency Checker), 239 
replication, 238 
SYSVOL, recovering, 242 
authentication 
identity synchronization, 242-243 
pass-through, 244-245 
password hash synchronization, 243-244 
Seamless SSO, 245-246 
Azure VPN, 208-212 
point-to-site, 212-213 
site-to-site, 213 
connectivity 
hybrid network, 210-211 
on-premises, 213-214 
DHCP, 219 
DNS, 214-215 
cache locking, 217 
event logs, 216-217 
netmask ordering, 218 
recursion, 217 
server tests, 216 
socket pool, 217 
zone level statistics, 218 
laaS virtual machines 
boot failures, 221-223 
connection issues, 227-229 
deployment failures, 220 
extension issues, 225 
performance issues, 224 
storage issues, 226 
trustlets, 9 
tunnel rules, 73-74 
Turn on Virtualization Based Security policy, 7 


U 


Uninstall-ADDSDomainController cmdlet, 248 
uninstalling, Windows Defender, 8 
Uninstall-WindowsFeature cmdlet, 8 
Update-ClusterFunctionalLevel cmdlet, 108 
Update-MpSignature cmdlet, 8 
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updates. See also WSUS (Windows Server Update Services) 
deploying, 63-64 

upgrading, S2D cluster, 114-115 

user rights assignment policy, 12-15 

USNs (update sequence numbers), 239-240 


V 


validating, failover cluster, 89-90 
virtual account, 20 
Virtual Secure Mode, WDAC (Windows Defender 
Application Control), 6 
VM Insights, 209-210 
VMs (virtual machines). See also Hyper-V VMs 
CPU groups, 151 
encrypted, restoring, 140 
extension issues, troubleshooting, 225 
failover clustering, 98 
laaS 
administrative connections, 227—229 
backup pre-check, 137 
boot failures, troubleshooting, 221-223 
deployment failures, troubleshooting, 220 
disk encryption, 83-84 
enabling backup, 136-137 
migrating physical workloads, 171-172 
migrating VM workloads, 169-171 
repairing, 223 
importing, 178 
JIT (just-in-time) access, 58, 229 
load balancing, 101-102 
migration, 164 
monitoring, 209-210 
performance, troubleshooting, 224 
on-premises, site recovery, 142-144 
recover to new Azure VM, 138-139 
restore and overwrite, 138 
restore disks, 139-140 
restoring individual files, 140-141 
site recovery, 144-145 
for Azure VMs, 144-145 
network, 145-146 
for on-premises VMs, 142-144 
VPN, troubleshooting, 208-212 
point-to-site, 212-213 
site-to-site, 213 
VSS (Volume Shadow Copy Services), 135-136 
vssadmin, 135-136 


Windows Server 


W 


WDAC (Windows Defender Application Control), 5-6 
Audit mode, 6-7 
features, 6 
Turn on Virtualization Based Security policy, 7 
Virtual Secure Mode, enabling, 6 
WDFAS (Windows Defender Firewall with Advanced 
Security), 68 
connection security rules, 72-73 
authentication exemptions, 74 
tunnel rules, 73-74 
domain isolation rules, 75-76 
firewall profiles, 68-69 
inbound rules, 69-70 
IPsec, 71-72 
outbound rules, 70-71 
Web Deploy, 175, 187 
Windows Admin Center 
managing failover clusters, 109-110 
monitoring servers, 201-202 
troubleshooting remote VM connectivity, 229 
Windows Defender. See also Defender for Identity 
Credential Guard, 9 
Enabled With UEFI Lock option, 10 
features and solutions, 9 
LSA (Local Security Authority) protection, 10 
Protected Users group, 9 
requirements, 9-10 
restrictions, 9 
Turn on Virtualization Based Security policy, 10 
gMSA (group-Managed Service Account), 19-20 
managing, 8 
uninstalling, 8 
Windows Server. See also migration 
audit policies, 21 
auditpol.exe, 22-23 
expression-based, 21-22 
file and folder, 22 
settings, 21 
Azure Update Management, 65-66 
backup and recovery, 119 
BitLocker, 78 
Group Policy, 79 
manage and recover encrypted volumes, 82 
Network Unlock, 80-81 
recovery, 79-80 
requirements, 78-79 
Controlled Folder Access, 4-5 
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Windows Server 


exploit protection, 2 Storage Migration Service Orchestrator, 159 
application-level settings, 3-4 System Insights, 202 
system-level settings, 3 Update Services, 60 
failover clustering, 87-88. See also S2D (Storage automatic approval rules, 64-65 
Spaces Direct) autonomous and replica modes, 61 
CAU (Cluster-Aware Updating), 106-107 deploying updates, 63-64 
cluster sets, 99 groups, 62-63 
configure workload options, 96 policies, 63 
configuring network adapters, 95 products, security classifications, and languages, 
create a Cloud witness, 100 60-61 
CSV (Cluster Shared Volumes), 93 security roles, 62 
dynamic quorum, 91-92 update files, 61-62 
File Server cluster role, 96-97 WDAC (Windows Defender Application Control), 5-6 
floating IP address, 100 Audit mode, 6-7 
installing, 89 features, 6 


load balancing, 100 Turn on Virtualization Based Security policy, 7 


manage using Windows Admin Center, 109-110 Virtual Secure Mode, enabling, 6 
modify quorum options, 93-94 Windows Defender 
NLB (network load balancing), 102-105 Credential Guard, 9-11 
prerequisites, 89 
prestage cluster computer objects, 90 
recover a failed cluster node, 107 
S2D (Storage Spaces Direct), 112-113, 115-116 
site spanning, 91-92 
split-brain scenarios, 92 
storage configuration, 93 
stretch clusters, 92 
upgrade a node to Windows Server 2022, 108-109 
validating, 89-90 
virtual machine, 98 
VM load balancing, 101-102 
VM Monitoring, 98 
workgroup clusters, 90-91 
workloads between nodes, 109 
Group Policy, user rights assignment policy, 12-15 


NTLM, disabling, 17-18 reguirements;i/4 
S2D (Storage Spaces Direct), 10-111 WSUS (Windows Server Update Services), 60 


cache drives, 113 automatic approval rules, 64-65 
DAX (direct access), 114 autonomous and replica modes, 61 
deploying updates, 63-64 

groups, 62-63 


uninstalling, 8 
Windows Server Backup, 128-129 
backup locations, 129-130 
MARS agent, 131-132 
deploying, 132-134 
minimum retention limits, 132 
restore from backups, 130-131 
restore to an alternative location, 131 
role and application backup, 130 
workgroup clusters, 90-91 
workload. See also VMs (virtual machines) 
cluster, 96 
migration. See migration 
WSMT (Windows Server Migration Tools), 172-174 
installing, 174 


deployment options, 111-112 
mirror-accelerated parity, 112 


nested resiliency, 112 policies, 63 
properties, 111 products, security classifications, and languages, 60-61 
resiliency types, 113 security roles, 62 

SCT (Security Compliance Toolkit), 15 update files, 61-62 


Local Group Policy Object tool, 17 
Policy Analyzer tool, 15-17 


service accounts, 18-20 X-Y-Z 


SmartScreen, 11 
Storage Migration Service, 158-159 ZRS (zone-redundant storage), 122 
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